diff --git a/job-cluster-tls-copy.yaml b/job-cluster-tls-copy.yaml
new file mode 100644
index 00000000..0b51f742
--- /dev/null
+++ b/job-cluster-tls-copy.yaml
@@ -0,0 +1,102 @@
+---
+# Namespace for envoy-gateway-system (created first)
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: envoy-gateway-system
+ labels:
+ app.kubernetes.io/name: envoy-gateway
+ app.kubernetes.io/part-of: cluster-forge
+---
+# ServiceAccount for TLS secret copy
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tls-copy-sa
+ namespace: envoy-gateway-system
+---
+# ClusterRole with permissions to manage secrets across namespaces
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tls-copy-role
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "create", "update", "patch"]
+- apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["get", "list", "create"]
+---
+# ClusterRoleBinding to grant permissions to ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tls-copy-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: tls-copy-role
+subjects:
+- kind: ServiceAccount
+ name: tls-copy-sa
+ namespace: envoy-gateway-system
+---
+# Job to copy TLS secret from kgateway-system to envoy-gateway-system (without modification)
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: tls-secret-copy
+ namespace: envoy-gateway-system
+spec:
+ template:
+ spec:
+ serviceAccountName: tls-copy-sa
+ restartPolicy: OnFailure
+ containers:
+ - name: copy-tls
+ image: alpine/k8s:1.28.13
+ command:
+ - /bin/sh
+ - -c
+ - |
+ echo "Starting TLS secret copy from kgateway-system to envoy-gateway-system"
+
+ # Check if source secret exists
+ if ! kubectl get secret cluster-tls -n kgateway-system >/dev/null 2>&1; then
+ echo "Source secret cluster-tls not found in kgateway-system namespace"
+ echo "This is expected during initial deployment - no copy needed"
+ exit 0
+ fi
+
+ # Verify target namespace exists
+ if ! kubectl get namespace envoy-gateway-system >/dev/null 2>&1; then
+ echo "ERROR: envoy-gateway-system namespace not found"
+ echo "This job should be applied after namespace creation"
+ exit 1
+ fi
+
+ # Check if target secret already exists
+ if kubectl get secret cluster-tls -n envoy-gateway-system >/dev/null 2>&1; then
+ echo "Target secret cluster-tls already exists in envoy-gateway-system"
+ echo "Copy completed previously"
+ exit 0
+ fi
+
+ echo "Copying cluster-tls secret with identical key-value pairs"
+
+ # Copy the secret directly using kubectl
+ kubectl get secret cluster-tls -n kgateway-system -o yaml | \
+ sed 's/namespace: kgateway-system/namespace: envoy-gateway-system/' | \
+ sed '/resourceVersion:/d' | \
+ sed '/uid:/d' | \
+ sed '/creationTimestamp:/d' | \
+ kubectl apply -f -
+
+ if [ $? -eq 0 ]; then
+ echo "Successfully copied cluster-tls secret to envoy-gateway-system"
+ echo "Secret contains the same key-value pairs as the original"
+ else
+ echo "Failed to copy cluster-tls secret"
+ exit 1
+ fi
\ No newline at end of file
diff --git a/job-cluster-tls-migration.yaml b/job-cluster-tls-migration.yaml
new file mode 100644
index 00000000..d7db3aaf
--- /dev/null
+++ b/job-cluster-tls-migration.yaml
@@ -0,0 +1,158 @@
+---
+# Namespace for envoy-gateway-system (created first)
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: envoy-gateway-system
+ labels:
+ app.kubernetes.io/name: envoy-gateway
+ app.kubernetes.io/part-of: cluster-forge
+---
+# ServiceAccount for TLS secret migration
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: tls-migration-sa
+ namespace: envoy-gateway-system
+---
+# ClusterRole with permissions to manage secrets across namespaces
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: tls-migration-role
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list", "create", "update", "patch"]
+- apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["get", "list", "create"]
+---
+# ClusterRoleBinding to grant permissions to ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: tls-migration-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: tls-migration-role
+subjects:
+- kind: ServiceAccount
+ name: tls-migration-sa
+ namespace: envoy-gateway-system
+---
+# Job to migrate and split TLS secret from kgateway-system to envoy-gateway-system
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: tls-secret-migration
+ namespace: envoy-gateway-system
+spec:
+ template:
+ spec:
+ serviceAccountName: tls-migration-sa
+ restartPolicy: OnFailure
+ containers:
+ - name: migrate-tls
+ image: alpine/k8s:1.28.13
+ command:
+ - /bin/sh
+ - -c
+ - |
+ echo "Starting TLS secret migration from kgateway-system to envoy-gateway-system"
+
+ # Check if source secret exists
+ if ! kubectl get secret cluster-tls -n kgateway-system >/dev/null 2>&1; then
+ echo "Source secret cluster-tls not found in kgateway-system namespace"
+ echo "This is expected during initial deployment - no migration needed"
+ exit 0
+ fi
+
+ # Verify target namespace exists
+ if ! kubectl get namespace envoy-gateway-system >/dev/null 2>&1; then
+ echo "ERROR: envoy-gateway-system namespace not found"
+ echo "This job should be applied after namespace creation"
+ exit 1
+ fi
+
+ # Check if target secret already exists
+ if kubectl get secret cluster-tls -n envoy-gateway-system >/dev/null 2>&1; then
+ echo "Target secret cluster-tls already exists in envoy-gateway-system"
+ echo "Migration completed previously"
+ exit 0
+ fi
+
+ echo "Migrating cluster-tls secret with certificate chain splitting"
+
+ # Extract certificate data from source secret
+ TLS_CRT_DATA=$(kubectl get secret cluster-tls -n kgateway-system -o jsonpath='{.data.tls\.crt}')
+ TLS_KEY_DATA=$(kubectl get secret cluster-tls -n kgateway-system -o jsonpath='{.data.tls\.key}')
+
+ # Decode the certificate chain
+ echo "$TLS_CRT_DATA" | base64 -d > /tmp/full_chain.crt
+
+ # Split certificate chain: first cert is server cert, second cert is CA cert
+ # Count certificates in the chain
+ CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" /tmp/full_chain.crt)
+ echo "Found $CERT_COUNT certificates in chain"
+
+ if [ "$CERT_COUNT" -eq 1 ]; then
+ # Only one certificate (server cert), no CA to split
+ echo "Single certificate found, no CA cert to extract"
+ SERVER_CERT_B64="$TLS_CRT_DATA"
+ CA_CERT_B64=""
+ elif [ "$CERT_COUNT" -ge 2 ]; then
+ # Multiple certificates: split them
+ echo "Splitting certificate chain: server cert + CA cert"
+
+ # Extract first certificate (server certificate)
+ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print; if(/END CERTIFICATE/) exit}' /tmp/full_chain.crt > /tmp/server.crt
+
+ # Extract remaining certificates (CA certificate chain)
+ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {if(first_cert_done) print} /END CERTIFICATE/ {first_cert_done=1}' /tmp/full_chain.crt > /tmp/ca.crt
+
+ # Base64 encode the split certificates
+ SERVER_CERT_B64=$(cat /tmp/server.crt | base64 -w 0)
+ CA_CERT_B64=$(cat /tmp/ca.crt | base64 -w 0)
+ else
+ echo "No certificates found in tls.crt data"
+ exit 1
+ fi
+
+ # Create the new secret with split certificates
+ cat > /tmp/new_secret.yaml << 'EOF'
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: cluster-tls
+ namespace: envoy-gateway-system
+ type: kubernetes.io/tls
+ data:
+ EOF
+
+ echo " tls.crt: $SERVER_CERT_B64" >> /tmp/new_secret.yaml
+ echo " tls.key: $TLS_KEY_DATA" >> /tmp/new_secret.yaml
+
+ # Add CA certificate if it exists
+ if [ -n "$CA_CERT_B64" ]; then
+ echo " ca.crt: $CA_CERT_B64" >> /tmp/new_secret.yaml
+ fi
+
+ # Apply the new secret
+ kubectl apply -f /tmp/new_secret.yaml
+
+ if [ $? -eq 0 ]; then
+ echo "Successfully migrated and split cluster-tls secret to envoy-gateway-system"
+ if [ -n "$CA_CERT_B64" ]; then
+ echo "Certificate chain split: tls.crt (server) + ca.crt (CA)"
+ else
+ echo "Single certificate migrated: tls.crt only"
+ fi
+ else
+ echo "Failed to migrate cluster-tls secret"
+ exit 1
+ fi
+
+ # Clean up temporary files
+ rm -f /tmp/full_chain.crt /tmp/server.crt /tmp/ca.crt /tmp/new_secret.yaml
\ No newline at end of file
diff --git a/root/values.yaml b/root/values.yaml
index 762b834d..f9411eb4 100644
--- a/root/values.yaml
+++ b/root/values.yaml
@@ -28,6 +28,8 @@ apps:
helmParameters:
- name: airm-api.airm.appDomain
value: "{{ .Values.global.domain }}"
+ - name: airm-api.kgateway.namespace
+ value: envoy-gateway-system
- group: kyverno.io
jqPathExpressions:
- ".spec.rules"
@@ -43,6 +45,8 @@ apps:
helmParameters:
- name: appDomain
value: "{{ .Values.global.domain }}"
+ - name: kgateway.namespace
+ value: envoy-gateway-system
syncWave: 0
airm-infra-cnpg:
path: eai-infra/airm-cnpg/0.1.0
@@ -267,10 +271,7 @@ apps:
namespace: external-secrets
path: external-secrets-config
syncWave: -10
- gateway-api:
- namespace: default
- path: gateway-api/v1.3.0
- syncWave: -50
+
gitea:
helmParameters:
- name: clusterDomain
@@ -525,29 +526,20 @@ apps:
requests:
cpu: "250m"
memory: "512Mi"
- kgateway:
- namespace: kgateway-system
- path: kgateway/v2.1.0-main
- syncWave: -20
+ envoy-gateway:
+ namespace: envoy-gateway-system
+ path: envoy-gateway/v1.7.1
+ syncWave: -30
valuesObject:
- controller:
- image:
- registry: "ghcr.io"
- repository: silogen/kgateway-v2.1.0-main-websocket
- tag: "0.0.1"
- kgateway-config:
+ kubernetesClusterDomain: cluster.local
+ envoy-gateway-config:
helmParameters:
- name: domain
value: "{{ .Values.global.domain }}"
- namespace: kgateway-system
- path: kgateway-config
+ namespace: envoy-gateway-system
+ path: envoy-gateway-config
syncWave: -15
valuesFile: values.yaml
- kgateway-crds:
- namespace: kgateway-system
- path: kgateway-crds/v2.1.0-main
- syncWave: -30
- valuesFile: values.yaml
kserve:
namespace: kserve-system
path: kserve/v0.16.0
diff --git a/root/values_large.yaml b/root/values_large.yaml
index 917e1f54..ff96ff7a 100644
--- a/root/values_large.yaml
+++ b/root/values_large.yaml
@@ -20,7 +20,8 @@ enabledApps:
- cnpg-operator
- external-secrets
- external-secrets-config
- - gateway-api
+ - envoy-gateway
+ - envoy-gateway-config
- gitea
- gitea-config
- kaiwo
@@ -29,9 +30,6 @@ enabledApps:
- keda
- kedify-otel
- keycloak
- - kgateway
- - kgateway-config
- - kgateway-crds
- kserve
- kserve-crds
- kueue
diff --git a/root/values_medium.yaml b/root/values_medium.yaml
index 04b7e20c..7cd5362e 100644
--- a/root/values_medium.yaml
+++ b/root/values_medium.yaml
@@ -22,7 +22,8 @@ enabledApps:
- cnpg-operator
- external-secrets
- external-secrets-config
- - gateway-api
+ - envoy-gateway
+ - envoy-gateway-config
- gitea
- gitea-config
- kaiwo
@@ -31,9 +32,6 @@ enabledApps:
- keda
- kedify-otel
- keycloak
- - kgateway
- - kgateway-config
- - kgateway-crds
- kserve
- kserve-crds
- kueue
@@ -331,18 +329,14 @@ apps:
requests:
cpu: "50m"
memory: "256Mi"
- kgateway:
+ envoy-gateway:
valuesObject:
- resources:
- requests:
- cpu: "200m"
- memory: "512Mi"
- kgateway-config:
- valuesObject:
- resources:
- requests:
- cpu: "25m"
- memory: "128Mi"
+ deployment:
+ envoyGateway:
+ resources:
+ requests:
+ cpu: "200m"
+ memory: "512Mi"
kserve:
valuesObject:
resources:
@@ -389,12 +383,7 @@ apps:
requests:
cpu: "25m"
memory: "128Mi"
- kgateway-crds:
- valuesObject:
- resources:
- requests:
- cpu: "25m"
- memory: "128Mi"
+
kserve-crds:
valuesObject:
resources:
diff --git a/root/values_small.yaml b/root/values_small.yaml
index 282e517f..98cbc6b4 100644
--- a/root/values_small.yaml
+++ b/root/values_small.yaml
@@ -20,7 +20,8 @@ enabledApps:
- cnpg-operator
- external-secrets
- external-secrets-config
- - gateway-api
+ - envoy-gateway
+ - envoy-gateway-config
- gitea
- gitea-config
- kaiwo
@@ -29,9 +30,6 @@ enabledApps:
- keda
- kedify-otel
- keycloak
- - kgateway
- - kgateway-config
- - kgateway-crds
- kserve
- kserve-crds
- kuberay-operator
diff --git a/sources/aim-engine/0.2.1/values.yaml b/sources/aim-engine/0.2.1/values.yaml
index f4d9bbdd..bc8997cd 100644
--- a/sources/aim-engine/0.2.1/values.yaml
+++ b/sources/aim-engine/0.2.1/values.yaml
@@ -119,8 +119,8 @@ clusterRuntimeConfig:
# gatewayRef:
# group: gateway.networking.k8s.io
# kind: Gateway
- # name: aim-gateway
- # namespace: kgateway-system
+ # name: https
+ # namespace: envoy-gateway-system
# pathTemplate: "/{.metadata.namespace}/{.metadata.name}"
# annotations: {}
# model:
diff --git a/sources/aim-engine/0.2.2/values.yaml b/sources/aim-engine/0.2.2/values.yaml
index e419341f..e68664bc 100644
--- a/sources/aim-engine/0.2.2/values.yaml
+++ b/sources/aim-engine/0.2.2/values.yaml
@@ -103,33 +103,20 @@ prometheus:
# Creates an AIMClusterRuntimeConfig CR when enabled.
clusterRuntimeConfig:
# -- Enable creation of the AIMClusterRuntimeConfig resource
- enable: false
+ enable: true
# -- Name of the AIMClusterRuntimeConfig resource
name: default
# -- Spec fields for the AIMClusterRuntimeConfig.
# See [Runtime Configuration](../../concepts/runtime-config.md) for details.
- # @default -- `{}` (see examples below)
- # spec:
- # storage:
- # defaultStorageClassName: "standard"
- # pvcHeadroomPercent: 10
- # routing:
- # enabled: true
- # gatewayRef:
- # group: gateway.networking.k8s.io
- # kind: Gateway
- # name: aim-gateway
- # namespace: kgateway-system
- # pathTemplate: "/{.metadata.namespace}/{.metadata.name}"
- # annotations: {}
- # model:
- # autoDiscovery: true
- # env: []
- # labelPropagation:
- # enabled: true
- # match:
- # - "aim.eai.amd.com/*"
+ spec:
+ routing:
+ enabled: true
+ gatewayRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: https
+ namespace: envoy-gateway-system
# -- Cluster-wide model source for automatic model discovery from container registries.
# Creates an AIMClusterModelSource CR when enabled, installing latest AIM Container Images.
diff --git a/sources/argocd-config/http-route.yaml b/sources/argocd-config/http-route.yaml
index 82d8849c..a47e7532 100644
--- a/sources/argocd-config/http-route.yaml
+++ b/sources/argocd-config/http-route.yaml
@@ -9,7 +9,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ''
diff --git a/sources/cluster-auth/0.5.0/templates/gateway-extension-kgateway-system.yaml b/sources/cluster-auth/0.5.0/templates/gateway-extension-kgateway-system.yaml
deleted file mode 100644
index 86779bfa..00000000
--- a/sources/cluster-auth/0.5.0/templates/gateway-extension-kgateway-system.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: GatewayExtension
-metadata:
- name: {{ include "cluster-auth.fullname" . }}-extauth
- namespace: kgateway-system
- labels:
- {{- include "cluster-auth.labels" . | nindent 4 }}
-spec:
- type: ExtAuth
- extAuth:
- grpcService:
- backendRef:
- name: {{ include "cluster-auth.fullname" . }}
- namespace: {{ .Values.namespace.name }}
- port: {{ .Values.service.grpc.port }}
diff --git a/sources/cluster-auth/0.5.0/templates/gateway-extension.yaml b/sources/cluster-auth/0.5.0/templates/gateway-extension.yaml
deleted file mode 100644
index 130fe833..00000000
--- a/sources/cluster-auth/0.5.0/templates/gateway-extension.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: GatewayExtension
-metadata:
- name: {{ include "cluster-auth.fullname" . }}-extauth
- namespace: {{ .Values.namespace.name }}
- labels:
- {{- include "cluster-auth.labels" . | nindent 4 }}
-spec:
- type: ExtAuth
- extAuth:
- grpcService:
- backendRef:
- name: {{ include "cluster-auth.fullname" . }}
- namespace: {{ .Values.namespace.name }}
- port: {{ .Values.service.grpc.port }}
diff --git a/sources/cluster-auth/0.5.0/templates/job-restart-kgateway.yaml b/sources/cluster-auth/0.5.0/templates/job-restart-envoygateway.yaml
similarity index 70%
rename from sources/cluster-auth/0.5.0/templates/job-restart-kgateway.yaml
rename to sources/cluster-auth/0.5.0/templates/job-restart-envoygateway.yaml
index 4c67452e..65704260 100644
--- a/sources/cluster-auth/0.5.0/templates/job-restart-kgateway.yaml
+++ b/sources/cluster-auth/0.5.0/templates/job-restart-envoygateway.yaml
@@ -2,12 +2,12 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: {{ include "cluster-auth.fullname" . }}-restart-kgateway
+ name: {{ include "cluster-auth.fullname" . }}-restart-envoygateway
namespace: {{ .Values.namespace.name }}
spec:
template:
spec:
- serviceAccountName: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa
+ serviceAccountName: {{ include "cluster-auth.fullname" . }}-restart-envoygateway-sa
containers:
- name: restart
image: bitnami/kubectl:latest
@@ -16,5 +16,5 @@ spec:
- -c
- |
kubectl wait deployment {{ include "cluster-auth.fullname" . }} -n {{ .Values.namespace.name }} --for=condition=Available=True --timeout=180s
- kubectl rollout restart deployment kgateway -n kgateway-system
+ kubectl rollout restart deployment -l gateway.envoyproxy.io/owning-gateway-name=https -n envoy-gateway-system
restartPolicy: Never
diff --git a/sources/cluster-auth/0.5.0/templates/rbac-restart-job.yaml b/sources/cluster-auth/0.5.0/templates/rbac-restart-job.yaml
index c6025256..1f53d6a6 100644
--- a/sources/cluster-auth/0.5.0/templates/rbac-restart-job.yaml
+++ b/sources/cluster-auth/0.5.0/templates/rbac-restart-job.yaml
@@ -2,7 +2,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa
+ name: {{ include "cluster-auth.fullname" . }}-restart-envoygateway-sa
namespace: {{ .Values.namespace.name }}
---
apiVersion: rbac.authorization.k8s.io/v1
@@ -18,8 +18,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: kgateway-restart-role
- namespace: kgateway-system
+ name: envoy-gateway-restart-role
+ namespace: envoy-gateway-system
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
@@ -32,7 +32,7 @@ metadata:
namespace: {{ .Values.namespace.name }}
subjects:
- kind: ServiceAccount
- name: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa
+ name: {{ include "cluster-auth.fullname" . }}-restart-envoygateway-sa
namespace: {{ .Values.namespace.name }}
roleRef:
kind: Role
@@ -42,13 +42,13 @@ roleRef:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: kgateway-restart-binding
- namespace: kgateway-system
+ name: envoy-gateway-restart-binding
+ namespace: envoy-gateway-system
subjects:
- kind: ServiceAccount
- name: {{ include "cluster-auth.fullname" . }}-restart-kgateway-sa
+ name: {{ include "cluster-auth.fullname" . }}-restart-envoygateway-sa
namespace: {{ .Values.namespace.name }}
roleRef:
kind: Role
- name: kgateway-restart-role
+ name: envoy-gateway-restart-role
apiGroup: rbac.authorization.k8s.io
diff --git a/sources/cluster-auth/0.5.0/templates/referencegrant.yaml b/sources/cluster-auth/0.5.0/templates/referencegrant.yaml
index 8bd777d1..6e8541f3 100644
--- a/sources/cluster-auth/0.5.0/templates/referencegrant.yaml
+++ b/sources/cluster-auth/0.5.0/templates/referencegrant.yaml
@@ -1,32 +1,15 @@
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
- name: kgateway-to-{{ include "cluster-auth.fullname" . }}-extauth
+ name: envoy-gateway-to-{{ include "cluster-auth.fullname" . }}-service
namespace: {{ .Values.namespace.name }}
labels:
{{- include "cluster-auth.labels" . | nindent 4 }}
spec:
from:
- - group: gateway.kgateway.dev
- kind: TrafficPolicy
- namespace: kgateway-system
- to:
- - group: gateway.kgateway.dev
- kind: GatewayExtension
- name: {{ include "cluster-auth.fullname" . }}-extauth
----
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: ReferenceGrant
-metadata:
- name: kgateway-extauth-to-{{ include "cluster-auth.fullname" . }}-service
- namespace: {{ .Values.namespace.name }}
- labels:
- {{- include "cluster-auth.labels" . | nindent 4 }}
-spec:
- from:
- - group: gateway.kgateway.dev
- kind: GatewayExtension
- namespace: kgateway-system
+ - group: gateway.envoyproxy.io
+ kind: SecurityPolicy
+ namespace: envoy-gateway-system
to:
- group: ""
kind: Service
diff --git a/sources/cluster-auth/0.5.0/templates/security-policy-extauth.yaml b/sources/cluster-auth/0.5.0/templates/security-policy-extauth.yaml
new file mode 100644
index 00000000..d3a41e43
--- /dev/null
+++ b/sources/cluster-auth/0.5.0/templates/security-policy-extauth.yaml
@@ -0,0 +1,22 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+ name: {{ include "cluster-auth.fullname" . }}-extauth-policy
+ namespace: envoy-gateway-system
+ labels:
+ {{- include "cluster-auth.labels" . | nindent 4 }}
+spec:
+ # Target the Gateway for global external auth (replaces TrafficPolicy functionality)
+ targetRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: https
+
+ # External Authorization configuration (replaces GatewayExtension functionality)
+ extAuth:
+ grpc:
+ backendRefs:
+ - name: {{ include "cluster-auth.fullname" . }}
+ namespace: {{ .Values.namespace.name }}
+ port: {{ .Values.service.grpc.port }}
+ weight: 1
diff --git a/sources/cluster-auth/0.5.0/templates/trafficpolicy.yaml b/sources/cluster-auth/0.5.0/templates/trafficpolicy.yaml
deleted file mode 100644
index d8d25f62..00000000
--- a/sources/cluster-auth/0.5.0/templates/trafficpolicy.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: TrafficPolicy
-metadata:
- name: {{ include "cluster-auth.fullname" . }}-global
- namespace: kgateway-system
- labels:
- {{- include "cluster-auth.labels" . | nindent 4 }}
-spec:
- targetRefs:
- - group: gateway.networking.k8s.io
- kind: Gateway
- name: https
- extAuth:
- extensionRef:
- name: {{ include "cluster-auth.fullname" . }}-extauth
\ No newline at end of file
diff --git a/sources/envoy-gateway-config/Chart.yaml b/sources/envoy-gateway-config/Chart.yaml
new file mode 100644
index 00000000..cb0bd5d9
--- /dev/null
+++ b/sources/envoy-gateway-config/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v2
+name: envoy-gateway-config
+description: A Helm chart with CR config for envoy-gateway
+version: 0.1.0
\ No newline at end of file
diff --git a/sources/envoy-gateway-config/templates/backend-traffic-policy-websocket.yaml b/sources/envoy-gateway-config/templates/backend-traffic-policy-websocket.yaml
new file mode 100644
index 00000000..d961d9ef
--- /dev/null
+++ b/sources/envoy-gateway-config/templates/backend-traffic-policy-websocket.yaml
@@ -0,0 +1,10 @@
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+ name: websocket-global-policy
+ namespace: envoy-gateway-system
+spec:
+ targetRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: https
diff --git a/sources/kgateway-config/templates/HelmChartConfig_rke2-coredns.yaml b/sources/envoy-gateway-config/templates/coredns-config.yaml
similarity index 79%
rename from sources/kgateway-config/templates/HelmChartConfig_rke2-coredns.yaml
rename to sources/envoy-gateway-config/templates/coredns-config.yaml
index 2ce5262b..2cc2102b 100644
--- a/sources/kgateway-config/templates/HelmChartConfig_rke2-coredns.yaml
+++ b/sources/envoy-gateway-config/templates/coredns-config.yaml
@@ -1,3 +1,6 @@
+# CoreDNS Configuration for Wildcard Domain Routing
+# Copied from kgateway-config with service reference update
+# Makes *.domain resolve to envoy-gateway service
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
@@ -16,7 +19,7 @@ spec:
lameduck 10s
- name: ready
- name: rewrite
- parameters: continue name regex .*\.{{ .Values.domain }} https.kgateway-system.svc.cluster.local answer auto
+ parameters: continue name regex .*\.{{ .Values.domain }} https.envoy-gateway-system.svc.cluster.local answer auto
- name: kubernetes
parameters: cluster.local cluster.local in-addr.arpa ip6.arpa
configBlock: |-
diff --git a/sources/envoy-gateway-config/templates/envoy-proxy-access-logs.yaml b/sources/envoy-gateway-config/templates/envoy-proxy-access-logs.yaml
new file mode 100644
index 00000000..1152d83e
--- /dev/null
+++ b/sources/envoy-gateway-config/templates/envoy-proxy-access-logs.yaml
@@ -0,0 +1,35 @@
+# EnvoyProxy configuration for access logging
+# Replaces kgateway HTTPListenerPolicy_access-logs.yaml functionality
+# Referenced by Gateway to enable per-gateway access logging
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+ name: access-logging-config
+ namespace: envoy-gateway-system
+spec:
+ telemetry:
+ accessLog:
+ settings:
+ - format:
+ type: JSON
+ json:
+ start_time: "%START_TIME%"
+ method: "%REQ(X-ENVOY-ORIGINAL-METHOD?:METHOD)%"
+ path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
+ protocol: "%PROTOCOL%"
+ response_code: "%RESPONSE_CODE%"
+ response_flags: "%RESPONSE_FLAGS%"
+ bytes_received: "%BYTES_RECEIVED%"
+ bytes_sent: "%BYTES_SENT%"
+ total_duration: "%DURATION%"
+ resp_backend_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
+ req_x_forwarded_for: "%REQ(X-FORWARDED-FOR)%"
+ user_agent: "%REQ(USER-AGENT)%"
+ request_id: "%REQ(X-REQUEST-ID)%"
+ authority: "%REQ(:AUTHORITY)%"
+ backendHost: "%UPSTREAM_HOST%"
+ backendCluster: "%UPSTREAM_CLUSTER%"
+ sinks:
+ - type: File
+ file:
+ path: /dev/stdout
\ No newline at end of file
diff --git a/sources/envoy-gateway-config/templates/gateway-class.yaml b/sources/envoy-gateway-config/templates/gateway-class.yaml
new file mode 100644
index 00000000..0f1260f6
--- /dev/null
+++ b/sources/envoy-gateway-config/templates/gateway-class.yaml
@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+ name: envoy-gateway
+spec:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
diff --git a/sources/kgateway-config/templates/Gateway_https.yaml b/sources/envoy-gateway-config/templates/gateway.yaml
similarity index 67%
rename from sources/kgateway-config/templates/Gateway_https.yaml
rename to sources/envoy-gateway-config/templates/gateway.yaml
index 7d2b519c..abdee200 100644
--- a/sources/kgateway-config/templates/Gateway_https.yaml
+++ b/sources/envoy-gateway-config/templates/gateway.yaml
@@ -1,11 +1,15 @@
----
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
spec:
- gatewayClassName: kgateway
+ gatewayClassName: envoy-gateway
+ infrastructure:
+ parametersRef:
+ group: gateway.envoyproxy.io
+ kind: EnvoyProxy
+ name: access-logging-config
listeners:
- allowedRoutes:
namespaces:
@@ -16,8 +20,8 @@ spec:
protocol: HTTPS
tls:
certificateRefs:
- - group: ''
- kind: Secret
+ - group: ''
+ kind: Secret
name: cluster-tls
mode: Terminate
- allowedRoutes:
@@ -26,7 +30,7 @@ spec:
kind: TLSRoute
namespaces:
from: All
- hostname: k8s.{{ .Values.domain }}
+ hostname: "k8s.{{ .Values.domain }}"
name: k8s-passthrough
port: 443
protocol: TLS
diff --git a/sources/envoy-gateway-config/templates/reference-grant-extauth.yaml b/sources/envoy-gateway-config/templates/reference-grant-extauth.yaml
new file mode 100644
index 00000000..fbcf17a9
--- /dev/null
+++ b/sources/envoy-gateway-config/templates/reference-grant-extauth.yaml
@@ -0,0 +1,16 @@
+# ReferenceGrant to allow cross-namespace access
+# Required because SecurityPolicy is in envoy-gateway-system but cluster-auth service is in cluster-auth namespace
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+ name: cluster-auth-extauth-grant
+ namespace: cluster-auth # cluster-auth service namespace
+spec:
+ from:
+ - group: gateway.envoyproxy.io
+ kind: SecurityPolicy
+ namespace: envoy-gateway-system # SecurityPolicy namespace
+ to:
+ - group: ""
+ kind: Service
+ name: cluster-auth # cluster-auth service name
\ No newline at end of file
diff --git a/sources/envoy-gateway-config/templates/security-policy-extauth.yaml b/sources/envoy-gateway-config/templates/security-policy-extauth.yaml
new file mode 100644
index 00000000..a7a885ad
--- /dev/null
+++ b/sources/envoy-gateway-config/templates/security-policy-extauth.yaml
@@ -0,0 +1,25 @@
+# Envoy Gateway ExtAuth Configuration
+# SecurityPolicy for Gateway-level ExtAuth (equivalent to kgateway global TrafficPolicy)
+# Replaces kgateway TrafficPolicy + GatewayExtension with Envoy Gateway SecurityPolicy
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+ name: cluster-auth-extauth-policy
+ namespace: envoy-gateway-system # Envoy Gateway namespace
+spec:
+ # Target the Gateway for global-like behavior (same as current TrafficPolicy)
+ targetRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: https # Same Gateway name as current setup
+
+ # External Authorization configuration (matches current kgateway GatewayExtension)
+ extAuth:
+ # Use gRPC external auth service (plain gRPC, no TLS - matches current setup)
+ grpc:
+ # Backend reference to cluster-auth service (exact match to current config)
+ backendRefs:
+ - name: cluster-auth
+ namespace: cluster-auth
+ port: 50051
+ weight: 1
\ No newline at end of file
diff --git a/sources/kgateway-config/templates/TLSRoute_k8s-passthrough.yaml b/sources/envoy-gateway-config/templates/tlsroute-k8s-passthrough.yaml
similarity index 65%
rename from sources/kgateway-config/templates/TLSRoute_k8s-passthrough.yaml
rename to sources/envoy-gateway-config/templates/tlsroute-k8s-passthrough.yaml
index e1adddcd..5df90c07 100644
--- a/sources/kgateway-config/templates/TLSRoute_k8s-passthrough.yaml
+++ b/sources/envoy-gateway-config/templates/tlsroute-k8s-passthrough.yaml
@@ -1,3 +1,6 @@
+# TLS Passthrough Route for Kubernetes API Access
+# Copied from kgateway-config with namespace update
+# Allows direct TLS access to Kubernetes API via k8s.domain
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
@@ -11,7 +14,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ""
diff --git a/sources/envoy-gateway-config/values.yaml b/sources/envoy-gateway-config/values.yaml
new file mode 100644
index 00000000..235cec5e
--- /dev/null
+++ b/sources/envoy-gateway-config/values.yaml
@@ -0,0 +1 @@
+domain: # to be filled by cluster-forge app
\ No newline at end of file
diff --git a/sources/kgateway-crds/v2.0.4/.helmignore b/sources/envoy-gateway/v1.7.1/.helmignore
similarity index 92%
rename from sources/kgateway-crds/v2.0.4/.helmignore
rename to sources/envoy-gateway/v1.7.1/.helmignore
index 0e8a0eb3..9ebf1b98 100644
--- a/sources/kgateway-crds/v2.0.4/.helmignore
+++ b/sources/envoy-gateway/v1.7.1/.helmignore
@@ -21,3 +21,6 @@
.idea/
*.tmproj
.vscode/
+
+# Template files
+*.tmpl.*
diff --git a/sources/envoy-gateway/v1.7.1/Chart.yaml b/sources/envoy-gateway/v1.7.1/Chart.yaml
new file mode 100644
index 00000000..17b277cc
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/Chart.yaml
@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v1.7.1
+description: The Helm chart for Envoy Gateway
+home: https://gateway.envoyproxy.io/
+icon: https://raw.githubusercontent.com/envoyproxy/gateway/main/site/assets/icons/logo.svg
+keywords:
+- gateway-api
+- envoyproxy
+- envoy-gateway
+- eg
+maintainers:
+- name: envoy-gateway-steering-committee
+ url: https://github.com/envoyproxy/gateway/blob/main/GOVERNANCE.md
+- name: envoy-gateway-maintainers
+ url: https://github.com/envoyproxy/gateway/blob/main/CODEOWNERS
+name: gateway-helm
+sources:
+- https://github.com/envoyproxy/gateway
+type: application
+version: v1.7.1
diff --git a/sources/envoy-gateway/v1.7.1/README.md b/sources/envoy-gateway/v1.7.1/README.md
new file mode 100644
index 00000000..f3fb772d
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/README.md
@@ -0,0 +1,121 @@
+# gateway-helm
+
+  
+
+The Helm chart for Envoy Gateway
+
+**Homepage:**
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| envoy-gateway-steering-committee | | |
+| envoy-gateway-maintainers | | |
+
+## Source Code
+
+*
+
+## Usage
+
+[Helm](https://helm.sh) must be installed to use the charts.
+Please refer to Helm's [documentation](https://helm.sh/docs) to get started.
+
+### Install from DockerHub
+
+Once Helm has been set up correctly, install the chart from dockerhub:
+
+``` shell
+helm install eg oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --create-namespace
+```
+You can find all helm chart release in [Dockerhub](https://hub.docker.com/r/envoyproxy/gateway-helm/tags)
+
+### Install from Source Code
+
+You can also install the helm chart from the source code:
+
+To install the eg chart along with Gateway API CRDs and Envoy Gateway CRDs:
+
+``` shell
+make kube-deploy TAG=latest
+```
+
+### Skip install CRDs
+
+You can install the eg chart along without Gateway API CRDs and Envoy Gateway CRDs, make sure CRDs exist in Cluster first if you want to skip to install them, otherwise EG may fail to start:
+
+``` shell
+helm install eg --create-namespace oci://docker.io/envoyproxy/gateway-helm --version v0.0.0-latest -n envoy-gateway-system --skip-crds
+```
+
+To uninstall the chart:
+
+``` shell
+helm uninstall eg -n envoy-gateway-system
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"pod":{"annotations":{},"labels":{}},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. |
+| config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. |
+| createNamespace | bool | `false` | |
+| deployment.annotations | object | `{}` | |
+| deployment.envoyGateway.image.repository | string | `""` | |
+| deployment.envoyGateway.image.tag | string | `""` | |
+| deployment.envoyGateway.imagePullPolicy | string | `""` | |
+| deployment.envoyGateway.imagePullSecrets | list | `[]` | |
+| deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | |
+| deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | |
+| deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | |
+| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | |
+| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| deployment.envoyGateway.securityContext.privileged | bool | `false` | |
+| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | |
+| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | |
+| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | |
+| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
+| deployment.pod.affinity | object | `{}` | |
+| deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | |
+| deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | |
+| deployment.pod.labels | object | `{}` | |
+| deployment.pod.nodeSelector | object | `{}` | |
+| deployment.pod.tolerations | list | `[]` | |
+| deployment.pod.topologySpreadConstraints | list | `[]` | |
+| deployment.ports[0].name | string | `"grpc"` | |
+| deployment.ports[0].port | int | `18000` | |
+| deployment.ports[0].targetPort | int | `18000` | |
+| deployment.ports[1].name | string | `"ratelimit"` | |
+| deployment.ports[1].port | int | `18001` | |
+| deployment.ports[1].targetPort | int | `18001` | |
+| deployment.ports[2].name | string | `"wasm"` | |
+| deployment.ports[2].port | int | `18002` | |
+| deployment.ports[2].targetPort | int | `18002` | |
+| deployment.ports[3].name | string | `"metrics"` | |
+| deployment.ports[3].port | int | `19001` | |
+| deployment.ports[3].targetPort | int | `19001` | |
+| deployment.priorityClassName | string | `nil` | |
+| deployment.replicas | int | `1` | |
+| global.imagePullSecrets | list | `[]` | Global override for image pull secrets |
+| global.imageRegistry | string | `""` | Global override for image registry |
+| global.images.envoyGateway.image | string | `nil` | |
+| global.images.envoyGateway.pullPolicy | string | `nil` | |
+| global.images.envoyGateway.pullSecrets | list | `[]` | |
+| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:c8765e89"` | |
+| global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | |
+| global.images.ratelimit.pullSecrets | list | `[]` | |
+| hpa.behavior | object | `{}` | |
+| hpa.enabled | bool | `false` | |
+| hpa.maxReplicas | int | `1` | |
+| hpa.metrics | list | `[]` | |
+| hpa.minReplicas | int | `1` | |
+| kubernetesClusterDomain | string | `"cluster.local"` | |
+| podDisruptionBudget.minAvailable | int | `0` | |
+| service.annotations | object | `{}` | |
+| service.trafficDistribution | string | `""` | |
+| service.type | string | `"ClusterIP"` | Service type. Can be set to LoadBalancer with specific IP, e.g.: type: LoadBalancer loadBalancerIP: 10.236.90.20 |
+| topologyInjector.annotations | object | `{}` | |
+| topologyInjector.enabled | bool | `true` | |
+
diff --git a/sources/gateway-api/v1.3.0/experimental-install.yaml b/sources/envoy-gateway/v1.7.1/crds/gatewayapi-crds.yaml
similarity index 81%
rename from sources/gateway-api/v1.3.0/experimental-install.yaml
rename to sources/envoy-gateway/v1.7.1/crds/gatewayapi-crds.yaml
index 5b5a6d4f..ee7eb803 100644
--- a/sources/gateway-api/v1.3.0/experimental-install.yaml
+++ b/sources/envoy-gateway/v1.7.1/crds/gatewayapi-crds.yaml
@@ -24,9 +24,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
labels:
gateway.networking.k8s.io/policy: Direct
name: backendtlspolicies.gateway.networking.k8s.io
@@ -47,7 +46,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- name: v1alpha3
+ name: v1
schema:
openAPIV3Schema:
description: |-
@@ -114,6 +113,28 @@ spec:
be unique across all targetRef entries in the BackendTLSPolicy.
* They select different sectionNames in the same target.
+ When more than one BackendTLSPolicy selects the same target and
+ sectionName, implementations MUST determine precedence using the
+ following criteria, continuing on ties:
+
+ * The older policy by creation timestamp takes precedence. For
+ example, a policy with a creation timestamp of "2021-07-15
+ 01:02:03" MUST be given precedence over a policy with a
+ creation timestamp of "2021-07-15 01:02:04".
+ * The policy appearing first in alphabetical order by {name}.
+ For example, a policy named `bar` is given precedence over a
+ policy named `baz`.
+
+ For any BackendTLSPolicy that does not take precedence, the
+ implementation MUST ensure the `Accepted` Condition is set to
+ `status: False`, with Reason `Conflicted`.
+
+ Implementations SHOULD NOT support more than one targetRef at this
+ time. Although the API technically allows for this, the current guidance
+ for conflict resolution and status handling is lacking. Until that can be
+ clarified in a future release, the safest approach is to support a single
+ targetRef.
+
Support: Extended for Kubernetes Service
Support: Implementation-specific for any other resource
@@ -170,6 +191,7 @@ spec:
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName must be specified when targetRefs includes
2 or more references to the same target
@@ -198,8 +220,31 @@ spec:
not both. If CACertificateRefs is empty or unspecified, the configuration for
WellKnownCACertificates MUST be honored instead if supported by the implementation.
- References to a resource in a different namespace are invalid for the
- moment, although we will revisit this in the future.
+ A CACertificateRef is invalid if:
+
+ * It refers to a resource that cannot be resolved (e.g., the referenced resource
+ does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+ named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
+
+ * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+ must be set to `InvalidKind` and the Message of the Condition must explain which
+ kind of resource is unknown or unsupported.
+
+ * It refers to a resource in another namespace. This may change in future
+ spec updates.
+
+ Implementations MAY choose to perform further validation of the certificate
+ content (e.g., checking expiry or enforcing specific formats). In such cases,
+ an implementation-specific Reason and Message must be set for the invalid reference.
+
+ In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+ the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+ that indicate the cause of the error. Connections using an invalid
+ CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+ response. If ALL CACertificateRefs are invalid, the implementation MUST also
+ ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+ `status: False`, with a Reason `NoValidCACertificate`.
A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
Implementations MAY choose to support attaching multiple certificates to
@@ -208,8 +253,8 @@ spec:
Support: Core - An optional single reference to a Kubernetes ConfigMap,
with the CA certificate in a key named `ca.crt`.
- Support: Implementation-specific (More than one reference, or other kinds
- of resources).
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
items:
description: |-
LocalObjectReference identifies an API object within the namespace of the
@@ -247,15 +292,18 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
hostname:
description: |-
Hostname is used for two purposes in the connection between Gateways and
backends:
1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
- 2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified.
- authentication and MUST match the certificate served by the matching
- backend.
+ 2. Hostname MUST be used for authentication and MUST match the certificate
+ served by the matching backend, unless SubjectAltNames is specified.
+ 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+ but MUST NOT be used for authentication. If you want to use the value
+ of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
Support: Core
maxLength: 253
@@ -325,6 +373,7 @@ spec:
"")'
maxItems: 5
type: array
+ x-kubernetes-list-type: atomic
wellKnownCACertificates:
description: |-
WellKnownCACertificates specifies whether system CA certificates may be used in
@@ -332,10 +381,11 @@ spec:
If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
must be specified with at least one entry for a valid configuration. Only one of
- CACertificateRefs or WellKnownCACertificates may be specified, not both. If an
- implementation does not support the WellKnownCACertificates field or the value
- supplied is not supported, the Status Conditions on the Policy MUST be
- updated to include an Accepted: False Condition with Reason: Invalid.
+ CACertificateRefs or WellKnownCACertificates may be specified, not both.
+ If an implementation does not support the WellKnownCACertificates field, or
+ the supplied value is not recognized, the implementation MUST ensure the
+ `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+ a Reason `Invalid`.
Support: Implementation-specific
enum:
@@ -646,10 +696,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
@@ -660,73 +712,15 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
-# config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
- gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- name: gatewayclasses.gateway.networking.k8s.io
-spec:
- group: gateway.networking.k8s.io
- names:
- categories:
- - gateway-api
- kind: GatewayClass
- listKind: GatewayClassList
- plural: gatewayclasses
- shortNames:
- - gc
- singular: gatewayclass
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .spec.controllerName
- name: Controller
- type: string
- - jsonPath: .status.conditions[?(@.type=="Accepted")].status
- name: Accepted
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - jsonPath: .spec.description
- name: Description
- priority: 1
- type: string
- name: v1
+ - deprecated: true
+ deprecationWarning: The v1alpha3 version of BackendTLSPolicy has been deprecated
+ and will be removed in a future release of the API. Please upgrade to v1.
+ name: v1alpha3
schema:
openAPIV3Schema:
description: |-
- GatewayClass describes a class of Gateways available to the user for creating
- Gateway resources.
-
- It is recommended that this resource be used as a template for Gateways. This
- means that a Gateway is based on the state of the GatewayClass at the time it
- was created and changes to the GatewayClass or associated parameters are not
- propagated down to existing Gateways. This recommendation is intended to
- limit the blast radius of changes to GatewayClass or associated parameters.
- If implementations choose to propagate GatewayClass changes to existing
- Gateways, that MUST be clearly documented by the implementation.
-
- Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
- add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
- associated GatewayClass. This ensures that a GatewayClass associated with a
- Gateway is not deleted while in use.
-
- GatewayClass is a Cluster level resource.
+ BackendTLSPolicy provides a way to configure how a Gateway
+ connects to a Backend via TLS.
properties:
apiVersion:
description: |-
@@ -746,439 +740,646 @@ spec:
metadata:
type: object
spec:
- description: Spec defines the desired state of GatewayClass.
+ description: Spec defines the desired state of BackendTLSPolicy.
properties:
- controllerName:
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
description: |-
- ControllerName is the name of the controller that is managing Gateways of
- this class. The value of this field MUST be a domain prefixed path.
-
- Example: "example.net/gateway-controller".
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
- This field is not mutable and cannot be empty.
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- x-kubernetes-validations:
- - message: Value is immutable
- rule: self == oldSelf
- description:
- description: Description helps describe a GatewayClass with more details.
- maxLength: 64
- type: string
- parametersRef:
+ Support: Implementation-specific
+ maxProperties: 16
+ type: object
+ targetRefs:
description: |-
- ParametersRef is a reference to a resource that contains the configuration
- parameters corresponding to the GatewayClass. This is optional if the
- controller does not require any additional configuration.
+ TargetRefs identifies an API object to apply the policy to.
+ Only Services have Extended support. Implementations MAY support
+ additional objects, with Implementation Specific support.
+ Note that this config applies to the entire referenced resource
+ by default, but this default may change in the future to provide
+ a more granular application of the policy.
- ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
- or an implementation-specific custom resource. The resource can be
- cluster-scoped or namespace-scoped.
+ TargetRefs must be _distinct_. This means either that:
- If the referent cannot be found, refers to an unsupported kind, or when
- the data within that resource is malformed, the GatewayClass SHOULD be
- rejected with the "Accepted" status condition set to "False" and an
- "InvalidParameters" reason.
+ * They select different targets. If this is the case, then targetRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, and `name` must
+ be unique across all targetRef entries in the BackendTLSPolicy.
+ * They select different sectionNames in the same target.
- A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
- the merging behavior is implementation specific.
- It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+ When more than one BackendTLSPolicy selects the same target and
+ sectionName, implementations MUST determine precedence using the
+ following criteria, continuing on ties:
- Support: Implementation-specific
- properties:
- group:
- description: Group is the group of the referent.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent.
- This field is required when referring to a Namespace-scoped resource and
- MUST be unset when referring to a Cluster-scoped resource.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - name
- type: object
- required:
- - controllerName
- type: object
- status:
- default:
- conditions:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- description: |-
- Status defines the current state of GatewayClass.
+ * The older policy by creation timestamp takes precedence. For
+ example, a policy with a creation timestamp of "2021-07-15
+ 01:02:03" MUST be given precedence over a policy with a
+ creation timestamp of "2021-07-15 01:02:04".
+ * The policy appearing first in alphabetical order by {name}.
+ For example, a policy named `bar` is given precedence over a
+ policy named `baz`.
- Implementations MUST populate status on all GatewayClass resources which
- specify their controller name.
- properties:
- conditions:
- default:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- description: |-
- Conditions is the current status from the controller for
- this GatewayClass.
+ For any BackendTLSPolicy that does not take precedence, the
+ implementation MUST ensure the `Accepted` Condition is set to
+ `status: False`, with Reason `Conflicted`.
- Controllers should prefer to publish conditions using values
- of GatewayClassConditionType for the type of each Condition.
+ Implementations SHOULD NOT support more than one targetRef at this
+ time. Although the API technically allows for this, the current guidance
+ for conflict resolution and status handling is lacking. Until that can be
+ clarified in a future release, the safest approach is to support a single
+ targetRef.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- supportedFeatures:
- description: |-
- SupportedFeatures is the set of features the GatewayClass support.
- It MUST be sorted in ascending alphabetical order by the Name key.
- items:
- properties:
name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
description: |-
- FeatureName is used to describe distinct features that are covered by
- conformance tests.
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
+ - group
+ - kind
- name
type: object
- maxItems: 64
+ maxItems: 16
+ minItems: 1
type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.controllerName
- name: Controller
- type: string
- - jsonPath: .status.conditions[?(@.type=="Accepted")].status
- name: Accepted
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- - jsonPath: .spec.description
- name: Description
- priority: 1
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: |-
- GatewayClass describes a class of Gateways available to the user for creating
- Gateway resources.
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName must be specified when targetRefs includes
+ 2 or more references to the same target
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName
+ == '''') == (!has(p2.sectionName) || p2.sectionName == ''''))
+ : true))'
+ - message: sectionName must be unique when targetRefs includes 2 or
+ more references to the same target
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) ||
+ p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName))))
+ validation:
+ description: Validation contains backend TLS validation configuration.
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to Kubernetes objects that
+ contain a PEM-encoded TLS CA certificate bundle, which is used to
+ validate a TLS handshake between the Gateway and backend Pod.
- It is recommended that this resource be used as a template for Gateways. This
- means that a Gateway is based on the state of the GatewayClass at the time it
- was created and changes to the GatewayClass or associated parameters are not
- propagated down to existing Gateways. This recommendation is intended to
- limit the blast radius of changes to GatewayClass or associated parameters.
- If implementations choose to propagate GatewayClass changes to existing
- Gateways, that MUST be clearly documented by the implementation.
+ If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+ specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+ not both. If CACertificateRefs is empty or unspecified, the configuration for
+ WellKnownCACertificates MUST be honored instead if supported by the implementation.
- Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
- add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
- associated GatewayClass. This ensures that a GatewayClass associated with a
- Gateway is not deleted while in use.
+ A CACertificateRef is invalid if:
- GatewayClass is a Cluster level resource.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of GatewayClass.
- properties:
- controllerName:
- description: |-
- ControllerName is the name of the controller that is managing Gateways of
- this class. The value of this field MUST be a domain prefixed path.
+ * It refers to a resource that cannot be resolved (e.g., the referenced resource
+ does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key
+ named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef`
+ and the Message of the Condition must indicate which reference is invalid and why.
- Example: "example.net/gateway-controller".
+ * It refers to an unknown or unsupported kind of resource. In this case, the Reason
+ must be set to `InvalidKind` and the Message of the Condition must explain which
+ kind of resource is unknown or unsupported.
- This field is not mutable and cannot be empty.
+ * It refers to a resource in another namespace. This may change in future
+ spec updates.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- x-kubernetes-validations:
- - message: Value is immutable
- rule: self == oldSelf
- description:
- description: Description helps describe a GatewayClass with more details.
- maxLength: 64
- type: string
- parametersRef:
- description: |-
- ParametersRef is a reference to a resource that contains the configuration
- parameters corresponding to the GatewayClass. This is optional if the
- controller does not require any additional configuration.
+ Implementations MAY choose to perform further validation of the certificate
+ content (e.g., checking expiry or enforcing specific formats). In such cases,
+ an implementation-specific Reason and Message must be set for the invalid reference.
- ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
- or an implementation-specific custom resource. The resource can be
- cluster-scoped or namespace-scoped.
+ In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on
+ the BackendTLSPolicy is set to `status: False`, with a Reason and Message
+ that indicate the cause of the error. Connections using an invalid
+ CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error
+ response. If ALL CACertificateRefs are invalid, the implementation MUST also
+ ensure the `Accepted` Condition on the BackendTLSPolicy is set to
+ `status: False`, with a Reason `NoValidCACertificate`.
- If the referent cannot be found, refers to an unsupported kind, or when
- the data within that resource is malformed, the GatewayClass SHOULD be
- rejected with the "Accepted" status condition set to "False" and an
- "InvalidParameters" reason.
+ A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a backend, but this behavior is implementation-specific.
- A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
- the merging behavior is implementation specific.
- It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+ Support: Core - An optional single reference to a Kubernetes ConfigMap,
+ with the CA certificate in a key named `ca.crt`.
- Support: Implementation-specific
- properties:
- group:
- description: Group is the group of the referent.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
+ Support: Implementation-specific - More than one reference, other kinds
+ of resources, or a single reference that includes multiple certificates.
+ items:
+ description: |-
+ LocalObjectReference identifies an API object within the namespace of the
+ referrer.
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example "HTTPRoute"
+ or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-type: atomic
+ hostname:
+ description: |-
+ Hostname is used for two purposes in the connection between Gateways and
+ backends:
+
+ 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+ 2. Hostname MUST be used for authentication and MUST match the certificate
+ served by the matching backend, unless SubjectAltNames is specified.
+ 3. If SubjectAltNames are specified, Hostname can be used for certificate selection
+ but MUST NOT be used for authentication. If you want to use the value
+ of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.
+
+ Support: Core
maxLength: 253
minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- namespace:
+ subjectAltNames:
description: |-
- Namespace is the namespace of the referent.
- This field is required when referring to a Namespace-scoped resource and
- MUST be unset when referring to a Cluster-scoped resource.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - name
+ SubjectAltNames contains one or more Subject Alternative Names.
+ When specified the certificate served from the backend MUST
+ have at least one Subject Alternate Name matching one of the specified SubjectAltNames.
+
+ Support: Extended
+ items:
+ description: SubjectAltName represents Subject Alternative Name.
+ properties:
+ hostname:
+ description: |-
+ Hostname contains Subject Alternative Name specified in DNS name format.
+ Required when Type is set to Hostname, ignored otherwise.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ type:
+ description: |-
+ Type determines the format of the Subject Alternative Name. Always required.
+
+ Support: Core
+ enum:
+ - Hostname
+ - URI
+ type: string
+ uri:
+ description: |-
+ URI contains Subject Alternative Name specified in a full URI format.
+ It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+ Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+ Required when Type is set to URI, ignored otherwise.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: SubjectAltName element must contain Hostname, if
+ Type is set to Hostname
+ rule: '!(self.type == "Hostname" && (!has(self.hostname) ||
+ self.hostname == ""))'
+ - message: SubjectAltName element must not contain Hostname,
+ if Type is not set to Hostname
+ rule: '!(self.type != "Hostname" && has(self.hostname) &&
+ self.hostname != "")'
+ - message: SubjectAltName element must contain URI, if Type
+ is set to URI
+ rule: '!(self.type == "URI" && (!has(self.uri) || self.uri
+ == ""))'
+ - message: SubjectAltName element must not contain URI, if Type
+ is not set to URI
+ rule: '!(self.type != "URI" && has(self.uri) && self.uri !=
+ "")'
+ maxItems: 5
+ type: array
+ x-kubernetes-list-type: atomic
+ wellKnownCACertificates:
+ description: |-
+ WellKnownCACertificates specifies whether system CA certificates may be used in
+ the TLS handshake between the gateway and backend pod.
+
+ If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+ must be specified with at least one entry for a valid configuration. Only one of
+ CACertificateRefs or WellKnownCACertificates may be specified, not both.
+ If an implementation does not support the WellKnownCACertificates field, or
+ the supplied value is not recognized, the implementation MUST ensure the
+ `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with
+ a Reason `Invalid`.
+
+ Support: Implementation-specific
+ enum:
+ - System
+ type: string
+ required:
+ - hostname
type: object
+ x-kubernetes-validations:
+ - message: must not contain both CACertificateRefs and WellKnownCACertificates
+ rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")'
+ - message: must specify either CACertificateRefs or WellKnownCACertificates
+ rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")
required:
- - controllerName
+ - targetRefs
+ - validation
type: object
status:
- default:
- conditions:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
- description: |-
- Status defines the current state of GatewayClass.
-
- Implementations MUST populate status on all GatewayClass resources which
- specify their controller name.
+ description: Status defines the current state of BackendTLSPolicy.
properties:
- conditions:
- default:
- - lastTransitionTime: "1970-01-01T00:00:00Z"
- message: Waiting for controller
- reason: Pending
- status: Unknown
- type: Accepted
+ ancestors:
description: |-
- Conditions is the current status from the controller for
- this GatewayClass.
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
- Controllers should prefer to publish conditions using values
- of GatewayClassConditionType for the type of each Condition.
- items:
- description: Condition contains details for one aspect of the current
- state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- supportedFeatures:
- description: |-
- SupportedFeatures is the set of features the GatewayClass support.
- It MUST be sorted in ascending alphabetical order by the Name key.
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
- name:
+ ancestorRef:
description: |-
- FeatureName is used to describe distinct features that are covered by
- conformance tests.
- type: string
- required:
- - name
- type: object
- maxItems: 64
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - conditions
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
status: {}
status:
acceptedNames:
@@ -1188,49 +1389,64 @@ status:
storedVersions: null
---
#
-# config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
+# config/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- name: gateways.gateway.networking.k8s.io
+ name: gatewayclasses.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
- kind: Gateway
- listKind: GatewayList
- plural: gateways
+ kind: GatewayClass
+ listKind: GatewayClassList
+ plural: gatewayclasses
shortNames:
- - gtw
- singular: gateway
- scope: Namespaced
+ - gc
+ singular: gatewayclass
+ scope: Cluster
versions:
- additionalPrinterColumns:
- - jsonPath: .spec.gatewayClassName
- name: Class
+ - jsonPath: .spec.controllerName
+ name: Controller
type: string
- - jsonPath: .status.addresses[*].value
- name: Address
- type: string
- - jsonPath: .status.conditions[?(@.type=="Programmed")].status
- name: Programmed
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
name: v1
schema:
openAPIV3Schema:
description: |-
- Gateway represents an instance of a service-traffic handling infrastructure
- by binding Listeners to a set of IP addresses.
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
properties:
apiVersion:
description: |-
@@ -1250,319 +1466,784 @@ spec:
metadata:
type: object
spec:
- description: Spec defines the desired state of Gateway.
+ description: Spec defines the desired state of GatewayClass.
properties:
- addresses:
+ controllerName:
description: |-
- Addresses requested for this Gateway. This is optional and behavior can
- depend on the implementation. If a value is set in the spec and the
- requested address is invalid or unavailable, the implementation MUST
- indicate this in the associated entry in GatewayStatus.Addresses.
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
- The Addresses field represents a request for the address(es) on the
- "outside of the Gateway", that traffic bound for this Gateway will use.
- This could be the IP address or hostname of an external load balancer or
- other networking infrastructure, or some other address that traffic will
- be sent to.
+ Example: "example.net/gateway-controller".
- If no Addresses are specified, the implementation MAY schedule the
- Gateway in an implementation-specific manner, assigning an appropriate
- set of Addresses.
+ This field is not mutable and cannot be empty.
- The implementation MUST bind all Listeners to every GatewayAddress that
- it assigns to the Gateway and add a corresponding entry in
- GatewayStatus.Addresses.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
- Support: Extended
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
items:
- description: GatewaySpecAddress describes an address that can be
- bound to a Gateway.
- oneOf:
- - properties:
- type:
- enum:
- - IPAddress
- value:
- anyOf:
- - format: ipv4
- - format: ipv6
- - properties:
- type:
- not:
- enum:
- - IPAddress
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
- type:
- default: IPAddress
- description: Type of the address.
- maxLength: 253
- minLength: 1
- pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
type: string
- value:
+ message:
description: |-
- When a value is unspecified, an implementation SHOULD automatically
- assign an address matching the requested type if possible.
-
- If an implementation does not support an empty value, they MUST set the
- "Programmed" condition in status to False with a reason of "AddressNotAssigned".
-
- Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
- maxLength: 253
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
type: object
- x-kubernetes-validations:
- - message: Hostname value must only contain valid characters (matching
- ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
- rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
- true'
- maxItems: 16
+ maxItems: 8
type: array
- x-kubernetes-validations:
- - message: IPAddress values must be unique
- rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
- a2.type == a1.type && a2.value == a1.value) : true )'
- - message: Hostname values must be unique
- rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
- a2.type == a1.type && a2.value == a1.value) : true )'
- allowedListeners:
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ supportedFeatures:
description: |-
- AllowedListeners defines which ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
- properties:
- namespaces:
- default:
- from: None
- description: |-
- Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
- While this feature is experimental, the default value is to allow no ListenerSets.
- properties:
- from:
- default: None
- description: |-
- From indicates where ListenerSets can attach to this Gateway. Possible
- values are:
-
- * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
- * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
- * All: ListenerSets in all namespaces may be attached to this Gateway.
- * None: Only listeners defined in the Gateway's spec are allowed
-
- While this feature is experimental, the default value None
- enum:
- - All
- - Selector
- - Same
- - None
- type: string
- selector:
- description: |-
- Selector must be specified when From is set to "Selector". In that case,
- only ListenerSets in Namespaces matching this Selector will be selected by this
- Gateway. This field is ignored for other values of "From".
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector
- requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: object
- backendTLS:
- description: |-
- BackendTLS configures TLS settings for when this Gateway is connecting to
- backends with TLS.
-
- Support: Core
- properties:
- clientCertificateRef:
- description: |-
- ClientCertificateRef is a reference to an object that contains a Client
- Certificate and the associated private key.
+ SupportedFeatures is the set of features the GatewayClass support.
+ It MUST be sorted in ascending alphabetical order by the Name key.
+ items:
+ properties:
+ name:
+ description: |-
+ FeatureName is used to describe distinct features that are covered by
+ conformance tests.
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.controllerName
+ name: Controller
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - jsonPath: .spec.description
+ name: Description
+ priority: 1
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
- ClientCertificateRef can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
- This setting can be overridden on the service level by use of BackendTLSPolicy.
+ GatewayClass is a Cluster level resource.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of GatewayClass.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
- Support: Core
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Secret
- description: Kind is kind of the referent. For example "Secret".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
+ Example: "example.net/gateway-controller".
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ This field is not mutable and cannot be empty.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- gatewayClassName:
- description: |-
- GatewayClassName used for this Gateway. This is the name of a
- GatewayClass resource.
+ Support: Core
maxLength: 253
minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
- infrastructure:
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description helps describe a GatewayClass with more details.
+ maxLength: 64
+ type: string
+ parametersRef:
description: |-
- Infrastructure defines infrastructure level attributes about this Gateway instance.
-
- Support: Extended
- properties:
- annotations:
- additionalProperties:
- description: |-
- AnnotationValue is the value of an annotation in Gateway API. This is used
- for validation of maps such as TLS options. This roughly matches Kubernetes
- annotation validation, although the length validation in that case is based
- on the entire size of the annotations struct.
- maxLength: 4096
- minLength: 0
- type: string
- description: |-
- Annotations that SHOULD be applied to any resources created in response to this Gateway.
-
- For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
- For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
-
- An implementation may chose to add additional implementation-specific annotations as they see fit.
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
- Support: Extended
- maxProperties: 8
- type: object
- x-kubernetes-validations:
- - message: Annotation keys must be in the form of an optional
- DNS subdomain prefix followed by a required name segment of
- up to 63 characters.
- rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
- - message: If specified, the annotation key's prefix must be a
- DNS subdomain not longer than 253 characters in total.
- rule: self.all(key, key.split("/")[0].size() < 253)
- labels:
- additionalProperties:
- description: |-
- LabelValue is the value of a label in the Gateway API. This is used for validation
- of maps such as Gateway infrastructure labels. This matches the Kubernetes
- label validation rules:
- * must be 63 characters or less (can be empty),
- * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
- * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
- Valid values include:
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
- * MyValue
- * my.name
- * 123-my-value
- maxLength: 63
- minLength: 0
- pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
- type: string
- description: |-
- Labels that SHOULD be applied to any resources created in response to this Gateway.
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
- For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
- For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Status defines the current state of GatewayClass.
- An implementation may chose to add additional implementation-specific labels as they see fit.
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
- If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
- change, it SHOULD clearly warn about this behavior in documentation.
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ supportedFeatures:
+ description: |-
+ SupportedFeatures is the set of features the GatewayClass support.
+ It MUST be sorted in ascending alphabetical order by the Name key.
+ items:
+ properties:
+ name:
+ description: |-
+ FeatureName is used to describe distinct features that are covered by
+ conformance tests.
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_gateways.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.4.1
+ gateway.networking.k8s.io/channel: experimental
+ name: gateways.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gtw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.gatewayClassName
+ name: Class
+ type: string
+ - jsonPath: .status.addresses[*].value
+ name: Address
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Gateway.
+ properties:
+ addresses:
+ description: |-
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in an associated entry in GatewayStatus.Conditions.
- Support: Extended
- maxProperties: 8
- type: object
- x-kubernetes-validations:
- - message: Label keys must be in the form of an optional DNS subdomain
- prefix followed by a required name segment of up to 63 characters.
- rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
- - message: If specified, the label key's prefix must be a DNS
- subdomain not longer than 253 characters in total.
- rule: self.all(key, key.split("/")[0].size() < 253)
- parametersRef:
- description: |-
- ParametersRef is a reference to a resource that contains the configuration
- parameters corresponding to the Gateway. This is optional if the
- controller does not require any additional configuration.
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
- This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
- The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
- the merging behavior is implementation specific.
- It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+ items:
+ description: GatewaySpecAddress describes an address that can be
+ bound to a Gateway.
+ oneOf:
+ - properties:
+ type:
+ enum:
+ - IPAddress
+ value:
+ anyOf:
+ - format: ipv4
+ - format: ipv6
+ - properties:
+ type:
+ not:
+ enum:
+ - IPAddress
+ properties:
+ type:
+ default: IPAddress
+ description: Type of the address.
+ maxLength: 253
+ minLength: 1
+ pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ value:
+ description: |-
+ When a value is unspecified, an implementation SHOULD automatically
+ assign an address matching the requested type if possible.
+
+ If an implementation does not support an empty value, they MUST set the
+ "Programmed" condition in status to False with a reason of "AddressNotAssigned".
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
+ maxLength: 253
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: Hostname value must be empty or contain only valid characters
+ (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")):
+ true'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: IPAddress values must be unique
+ rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ?
+ self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
+ == a1.value) : true )'
+ - message: Hostname values must be unique
+ rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ?
+ self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
+ == a1.value) : true )'
+ allowedListeners:
+ description: |-
+ AllowedListeners defines which ListenerSets can be attached to this Gateway.
+ While this feature is experimental, the default value is to allow no ListenerSets.
+ properties:
+ namespaces:
+ default:
+ from: None
+ description: |-
+ Namespaces defines which namespaces ListenerSets can be attached to this Gateway.
+ While this feature is experimental, the default value is to allow no ListenerSets.
+ properties:
+ from:
+ default: None
+ description: |-
+ From indicates where ListenerSets can attach to this Gateway. Possible
+ values are:
+
+ * Same: Only ListenerSets in the same namespace may be attached to this Gateway.
+ * Selector: ListenerSets in namespaces selected by the selector may be attached to this Gateway.
+ * All: ListenerSets in all namespaces may be attached to this Gateway.
+ * None: Only listeners defined in the Gateway's spec are allowed
+
+ While this feature is experimental, the default value None
+ enum:
+ - All
+ - Selector
+ - Same
+ - None
+ type: string
+ selector:
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only ListenerSets in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector
+ requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ defaultScope:
+ description: |-
+ DefaultScope, when set, configures the Gateway as a default Gateway,
+ meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+ attached to it, according to the scope configured here.
+
+ If unset (the default) or set to None, the Gateway will not act as a
+ default Gateway; if set, the Gateway will claim any Route with a
+ matching scope set in its UseDefaultGateway field, subject to the usual
+ rules about which routes the Gateway can attach to.
+
+ Think carefully before using this functionality! While the normal rules
+ about which Route can apply are still enforced, it is simply easier for
+ the wrong Route to be accidentally attached to this Gateway in this
+ configuration. If the Gateway operator is not also the operator in
+ control of the scope (e.g. namespace) with tight controls and checks on
+ what kind of workloads and Routes get added in that scope, we strongly
+ recommend not using this just because it seems convenient, and instead
+ stick to direct Route attachment.
+ enum:
+ - All
+ - None
+ type: string
+ gatewayClassName:
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ infrastructure:
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
+ properties:
+ annotations:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ labels:
+ additionalProperties:
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
+ minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
+ type: string
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
+ maxProperties: 8
+ type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
If the referent cannot be found, refers to an unsupported kind, or when
the data within that resource is malformed, the Gateway SHOULD be
@@ -1825,6 +2506,7 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
namespaces:
default:
from: Same
@@ -1992,7 +2674,7 @@ spec:
the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
if the Protocol field is "HTTP", "TCP", or "UDP".
- The association of SNIs to Certificate defined in GatewayTLSConfig is
+ The association of SNIs to Certificate defined in ListenerTLSConfig is
defined based on the Hostname field for this listener.
The GatewayClass MUST use the longest matching SNI out of all
@@ -2079,107 +2761,21 @@ spec:
type: object
maxItems: 64
type: array
- frontendValidation:
+ x-kubernetes-list-type: atomic
+ mode:
+ default: Terminate
description: |-
- FrontendValidation holds configuration information for validating the frontend (client).
- Setting this field will require clients to send a client certificate
- required for validation during the TLS handshake. In browsers this may result in a dialog appearing
- that requests a user to specify the client certificate.
- The maximum depth of a certificate chain accepted in verification is Implementation specific.
-
- Support: Extended
- properties:
- caCertificateRefs:
- description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
-
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
-
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
-
- Support: Implementation-specific (More than one reference, or other kinds
- of resources).
-
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
- items:
- description: |-
- ObjectReference identifies an API object including its namespace.
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
-
- References to objects with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate Conditions set
- on the containing object.
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When set to the empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For
- example "ConfigMap" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 8
- minItems: 1
- type: array
- type: object
- mode:
- default: Terminate
- description: |-
- Mode defines the TLS behavior for the TLS session initiated by the client.
- There are two possible modes:
-
- - Terminate: The TLS session between the downstream client and the
- Gateway is terminated at the Gateway. This mode requires certificates
- to be specified in some way, such as populating the certificateRefs
- field.
- - Passthrough: The TLS session is NOT terminated by the Gateway. This
- implies that the Gateway can't decipher the TLS stream except for
- the ClientHello message of the TLS protocol. The certificateRefs field
- is ignored in this mode.
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
Support: Core
enum:
@@ -2244,6 +2840,366 @@ spec:
rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
== l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
== l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ tls:
+ description: |-
+ TLS specifies frontend and backend tls configuration for entire gateway.
+
+ Support: Extended
+ properties:
+ backend:
+ description: |-
+ Backend describes TLS configuration for gateway when connecting
+ to backends.
+
+ Note that this contains only details for the Gateway as a TLS client,
+ and does _not_ imply behavior about how to choose which backend should
+ get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+
+ Support: Core
+ properties:
+ clientCertificateRef:
+ description: |-
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ frontend:
+ description: |-
+ Frontend describes TLS config when client connects to Gateway.
+ Support: Core
+ properties:
+ default:
+ description: |-
+ Default specifies the default client certificate validation configuration
+ for all Listeners handling HTTPS traffic, unless a per-port configuration
+ is defined.
+
+ support: Core
+ properties:
+ validation:
+ description: |-
+ Validation holds configuration information for validating the frontend (client).
+ Setting this field will result in mutual authentication when connecting to the gateway.
+ In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Core
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one certificate in a ConfigMap
+ with different keys or more than one reference, or other kinds of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When set to the empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ mode:
+ default: AllowValidOnly
+ description: |-
+ FrontendValidationMode defines the mode for validating the client certificate.
+ There are two possible modes:
+
+ - AllowValidOnly: In this mode, the gateway will accept connections only if
+ the client presents a valid certificate. This certificate must successfully
+ pass validation against the CA certificates specified in `CACertificateRefs`.
+ - AllowInsecureFallback: In this mode, the gateway will accept connections
+ even if the client certificate is not presented or fails verification.
+
+ This approach delegates client authorization to the backend and introduce
+ a significant security risk. It should be used in testing environments or
+ on a temporary basis in non-testing environments.
+
+ Defaults to AllowValidOnly.
+
+ Support: Core
+ enum:
+ - AllowValidOnly
+ - AllowInsecureFallback
+ type: string
+ required:
+ - caCertificateRefs
+ type: object
+ type: object
+ perPort:
+ description: |-
+ PerPort specifies tls configuration assigned per port.
+ Per port configuration is optional. Once set this configuration overrides
+ the default configuration for all Listeners handling HTTPS traffic
+ that match this port.
+ Each override port requires a unique TLS configuration.
+
+ support: Core
+ items:
+ properties:
+ port:
+ description: |-
+ The Port indicates the Port Number to which the TLS configuration will be
+ applied. This configuration will be applied to all Listeners handling HTTPS
+ traffic that match this port.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: |-
+ TLS store the configuration that will be applied to all Listeners handling
+ HTTPS traffic and matching given port.
+
+ Support: Core
+ properties:
+ validation:
+ description: |-
+ Validation holds configuration information for validating the frontend (client).
+ Setting this field will result in mutual authentication when connecting to the gateway.
+ In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Core
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one certificate in a ConfigMap
+ with different keys or more than one reference, or other kinds of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When set to the empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ For example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ mode:
+ default: AllowValidOnly
+ description: |-
+ FrontendValidationMode defines the mode for validating the client certificate.
+ There are two possible modes:
+
+ - AllowValidOnly: In this mode, the gateway will accept connections only if
+ the client presents a valid certificate. This certificate must successfully
+ pass validation against the CA certificates specified in `CACertificateRefs`.
+ - AllowInsecureFallback: In this mode, the gateway will accept connections
+ even if the client certificate is not presented or fails verification.
+
+ This approach delegates client authorization to the backend and introduce
+ a significant security risk. It should be used in testing environments or
+ on a temporary basis in non-testing environments.
+
+ Defaults to AllowValidOnly.
+
+ Support: Core
+ enum:
+ - AllowValidOnly
+ - AllowInsecureFallback
+ type: string
+ required:
+ - caCertificateRefs
+ type: object
+ type: object
+ required:
+ - port
+ - tls
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - port
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: Port for TLS configuration must be unique within
+ the Gateway
+ rule: self.all(t1, self.exists_one(t2, t1.port == t2.port))
+ required:
+ - default
+ type: object
+ type: object
required:
- gatewayClassName
- listeners
@@ -2318,6 +3274,7 @@ spec:
true'
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -2531,6 +3488,7 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
required:
- attachedRoutes
- conditions
@@ -2595,7 +3553,7 @@ spec:
Addresses requested for this Gateway. This is optional and behavior can
depend on the implementation. If a value is set in the spec and the
requested address is invalid or unavailable, the implementation MUST
- indicate this in the associated entry in GatewayStatus.Addresses.
+ indicate this in an associated entry in GatewayStatus.Conditions.
The Addresses field represents a request for the address(es) on the
"outside of the Gateway", that traffic bound for this Gateway will use.
@@ -2650,19 +3608,22 @@ spec:
type: string
type: object
x-kubernetes-validations:
- - message: Hostname value must only contain valid characters (matching
- ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
- rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""):
+ - message: Hostname value must be empty or contain only valid characters
+ (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$)
+ rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")):
true'
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: IPAddress values must be unique
- rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2,
- a2.type == a1.type && a2.value == a1.value) : true )'
+ rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ?
+ self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
+ == a1.value) : true )'
- message: Hostname values must be unique
- rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
- a2.type == a1.type && a2.value == a1.value) : true )'
+ rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ?
+ self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value
+ == a1.value) : true )'
allowedListeners:
description: |-
AllowedListeners defines which ListenerSets can be attached to this Gateway.
@@ -2744,70 +3705,29 @@ spec:
x-kubernetes-map-type: atomic
type: object
type: object
- backendTLS:
+ defaultScope:
description: |-
- BackendTLS configures TLS settings for when this Gateway is connecting to
- backends with TLS.
-
- Support: Core
- properties:
- clientCertificateRef:
- description: |-
- ClientCertificateRef is a reference to an object that contains a Client
- Certificate and the associated private key.
-
- References to a resource in different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
-
- ClientCertificateRef can reference to standard Kubernetes resources, i.e.
- Secret, or implementation-specific custom resources.
-
- This setting can be overridden on the service level by use of BackendTLSPolicy.
-
- Support: Core
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Secret
- description: Kind is kind of the referent. For example "Secret".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
+ DefaultScope, when set, configures the Gateway as a default Gateway,
+ meaning it will dynamically and implicitly have Routes (e.g. HTTPRoute)
+ attached to it, according to the scope configured here.
+
+ If unset (the default) or set to None, the Gateway will not act as a
+ default Gateway; if set, the Gateway will claim any Route with a
+ matching scope set in its UseDefaultGateway field, subject to the usual
+ rules about which routes the Gateway can attach to.
+
+ Think carefully before using this functionality! While the normal rules
+ about which Route can apply are still enforced, it is simply easier for
+ the wrong Route to be accidentally attached to this Gateway in this
+ configuration. If the Gateway operator is not also the operator in
+ control of the scope (e.g. namespace) with tight controls and checks on
+ what kind of workloads and Routes get added in that scope, we strongly
+ recommend not using this just because it seems convenient, and instead
+ stick to direct Route attachment.
+ enum:
+ - All
+ - None
+ type: string
gatewayClassName:
description: |-
GatewayClassName used for this Gateway. This is the name of a
@@ -3163,6 +4083,7 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
namespaces:
default:
from: Same
@@ -3330,7 +4251,7 @@ spec:
the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
if the Protocol field is "HTTP", "TCP", or "UDP".
- The association of SNIs to Certificate defined in GatewayTLSConfig is
+ The association of SNIs to Certificate defined in ListenerTLSConfig is
defined based on the Hostname field for this listener.
The GatewayClass MUST use the longest matching SNI out of all
@@ -3417,107 +4338,21 @@ spec:
type: object
maxItems: 64
type: array
- frontendValidation:
+ x-kubernetes-list-type: atomic
+ mode:
+ default: Terminate
description: |-
- FrontendValidation holds configuration information for validating the frontend (client).
- Setting this field will require clients to send a client certificate
- required for validation during the TLS handshake. In browsers this may result in a dialog appearing
- that requests a user to specify the client certificate.
- The maximum depth of a certificate chain accepted in verification is Implementation specific.
-
- Support: Extended
- properties:
- caCertificateRefs:
- description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
-
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
-
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
-
- Support: Implementation-specific (More than one reference, or other kinds
- of resources).
-
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
- items:
- description: |-
- ObjectReference identifies an API object including its namespace.
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
-
- References to objects with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate Conditions set
- on the containing object.
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When set to the empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For
- example "ConfigMap" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 8
- minItems: 1
- type: array
- type: object
- mode:
- default: Terminate
- description: |-
- Mode defines the TLS behavior for the TLS session initiated by the client.
- There are two possible modes:
-
- - Terminate: The TLS session between the downstream client and the
- Gateway is terminated at the Gateway. This mode requires certificates
- to be specified in some way, such as populating the certificateRefs
- field.
- - Passthrough: The TLS session is NOT terminated by the Gateway. This
- implies that the Gateway can't decipher the TLS stream except for
- the ClientHello message of the TLS protocol. The certificateRefs field
- is ignored in this mode.
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
Support: Core
enum:
@@ -3582,6 +4417,366 @@ spec:
rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol
== l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname
== l2.hostname : !has(l1.hostname) && !has(l2.hostname))))'
+ tls:
+ description: |-
+ TLS specifies frontend and backend tls configuration for entire gateway.
+
+ Support: Extended
+ properties:
+ backend:
+ description: |-
+ Backend describes TLS configuration for gateway when connecting
+ to backends.
+
+ Note that this contains only details for the Gateway as a TLS client,
+ and does _not_ imply behavior about how to choose which backend should
+ get a TLS connection. That is determined by the presence of a BackendTLSPolicy.
+
+ Support: Core
+ properties:
+ clientCertificateRef:
+ description: |-
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ frontend:
+ description: |-
+ Frontend describes TLS config when client connects to Gateway.
+ Support: Core
+ properties:
+ default:
+ description: |-
+ Default specifies the default client certificate validation configuration
+ for all Listeners handling HTTPS traffic, unless a per-port configuration
+ is defined.
+
+ support: Core
+ properties:
+ validation:
+ description: |-
+ Validation holds configuration information for validating the frontend (client).
+ Setting this field will result in mutual authentication when connecting to the gateway.
+ In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Core
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one certificate in a ConfigMap
+ with different keys or more than one reference, or other kinds of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When set to the empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ mode:
+ default: AllowValidOnly
+ description: |-
+ FrontendValidationMode defines the mode for validating the client certificate.
+ There are two possible modes:
+
+ - AllowValidOnly: In this mode, the gateway will accept connections only if
+ the client presents a valid certificate. This certificate must successfully
+ pass validation against the CA certificates specified in `CACertificateRefs`.
+ - AllowInsecureFallback: In this mode, the gateway will accept connections
+ even if the client certificate is not presented or fails verification.
+
+ This approach delegates client authorization to the backend and introduce
+ a significant security risk. It should be used in testing environments or
+ on a temporary basis in non-testing environments.
+
+ Defaults to AllowValidOnly.
+
+ Support: Core
+ enum:
+ - AllowValidOnly
+ - AllowInsecureFallback
+ type: string
+ required:
+ - caCertificateRefs
+ type: object
+ type: object
+ perPort:
+ description: |-
+ PerPort specifies tls configuration assigned per port.
+ Per port configuration is optional. Once set this configuration overrides
+ the default configuration for all Listeners handling HTTPS traffic
+ that match this port.
+ Each override port requires a unique TLS configuration.
+
+ support: Core
+ items:
+ properties:
+ port:
+ description: |-
+ The Port indicates the Port Number to which the TLS configuration will be
+ applied. This configuration will be applied to all Listeners handling HTTPS
+ traffic that match this port.
+
+ Support: Core
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ tls:
+ description: |-
+ TLS store the configuration that will be applied to all Listeners handling
+ HTTPS traffic and matching given port.
+
+ Support: Core
+ properties:
+ validation:
+ description: |-
+ Validation holds configuration information for validating the frontend (client).
+ Setting this field will result in mutual authentication when connecting to the gateway.
+ In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Core
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one certificate in a ConfigMap
+ with different keys or more than one reference, or other kinds of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When set to the empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ For example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ mode:
+ default: AllowValidOnly
+ description: |-
+ FrontendValidationMode defines the mode for validating the client certificate.
+ There are two possible modes:
+
+ - AllowValidOnly: In this mode, the gateway will accept connections only if
+ the client presents a valid certificate. This certificate must successfully
+ pass validation against the CA certificates specified in `CACertificateRefs`.
+ - AllowInsecureFallback: In this mode, the gateway will accept connections
+ even if the client certificate is not presented or fails verification.
+
+ This approach delegates client authorization to the backend and introduce
+ a significant security risk. It should be used in testing environments or
+ on a temporary basis in non-testing environments.
+
+ Defaults to AllowValidOnly.
+
+ Support: Core
+ enum:
+ - AllowValidOnly
+ - AllowInsecureFallback
+ type: string
+ required:
+ - caCertificateRefs
+ type: object
+ type: object
+ required:
+ - port
+ - tls
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - port
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: Port for TLS configuration must be unique within
+ the Gateway
+ rule: self.all(t1, self.exists_one(t2, t1.port == t2.port))
+ required:
+ - default
+ type: object
+ type: object
required:
- gatewayClassName
- listeners
@@ -3656,6 +4851,7 @@ spec:
true'
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
conditions:
default:
- lastTransitionTime: "1970-01-01T00:00:00Z"
@@ -3869,6 +5065,7 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
required:
- attachedRoutes
- conditions
@@ -3903,9 +5100,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
@@ -3983,9138 +5179,11182 @@ spec:
Host header to select a GRPCRoute to process the request. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
- 1. IPs are not allowed.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
- label MUST appear by itself as the first label.
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label MUST appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and GRPCRoute, there
+ MUST be at least one intersecting hostname for the GRPCRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and GRPCRoute have specified hostnames, any
+ GRPCRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ GRPCRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` MUST NOT be considered for a match.
+
+ If both the Listener and GRPCRoute have specified hostnames, and none
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+ the implementation. The implementation MUST raise an 'Accepted' Condition
+ with a status of `False` in the corresponding RouteParentStatus.
+
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+ Listener and that listener already has another Route (B) of the other
+ type attached and the intersection of the hostnames of A and B is
+ non-empty, then the implementation MUST accept exactly one of these two
+ routes, determined by the following criteria, in order:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ The rejected Route MUST raise an 'Accepted' condition with a status of
+ 'False' in the corresponding RouteParentStatus.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ parentRefs:
+ description: |-
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of GRPC matchers, filters and actions.
+ items:
+ description: |-
+ GRPCRouteRule defines the semantics for matching a gRPC request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive an `UNAVAILABLE` status.
+
+ See the GRPCBackendRef definition for the rules about what makes a single
+ GRPCBackendRef invalid.
+
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive an `UNAVAILABLE` status.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+ Implementations may choose how that 50 percent is determined.
+
+ Support: Core for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
+ items:
+ description: |-
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+ properties:
+ filters:
+ description: |-
+ Filters defined at this level MUST be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in GRPCRouteRule.)
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |-
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ fraction:
+ description: |-
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal
+ to denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |-
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be
+ specified in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ The effects of ordering of multiple behaviors are currently unspecified.
+ This can change in the future based on feedback during the alpha stage.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations that support
+ GRPCRoute.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ If an implementation cannot support a combination of filters, it must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
+ items:
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |-
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ fraction:
+ description: |-
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to
+ denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |-
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be specified
+ in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- If a hostname is specified by both the Listener and GRPCRoute, there
- MUST be at least one intersecting hostname for the GRPCRoute to be
- attached to the Listener. For example:
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- * A Listener with `test.example.com` as the hostname matches GRPCRoutes
- that have either not specified any hostnames, or have specified at
- least one of `test.example.com` or `*.example.com`.
- * A Listener with `*.example.com` as the hostname matches GRPCRoutes
- that have either not specified any hostnames or have specified at least
- one hostname that matches the Listener hostname. For example,
- `test.example.com` and `*.example.com` would both match. On the other
- hand, `example.com` and `test.example.net` would not match.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com` would match
- both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- If both the Listener and GRPCRoute have specified hostnames, any
- GRPCRoute hostnames that do not match the Listener hostname MUST be
- ignored. For example, if a Listener specified `*.example.com`, and the
- GRPCRoute specified `test.example.com` and `test.example.net`,
- `test.example.net` MUST NOT be considered for a match.
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- If both the Listener and GRPCRoute have specified hostnames, and none
- match with the criteria above, then the GRPCRoute MUST NOT be accepted by
- the implementation. The implementation MUST raise an 'Accepted' Condition
- with a status of `False` in the corresponding RouteParentStatus.
+ Config:
+ remove: ["my-header1", "my-header3"]
- If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
- Listener and that listener already has another Route (B) of the other
- type attached and the intersection of the hostnames of A and B is
- non-empty, then the implementation MUST accept exactly one of these two
- routes, determined by the following criteria, in order:
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- * The oldest Route based on creation timestamp.
- * The Route appearing first in alphabetical order by
- "{namespace}/{name}".
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- The rejected Route MUST raise an 'Accepted' condition with a status of
- 'False' in the corresponding RouteParentStatus.
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- Support: Core
- items:
- description: |-
- Hostname is the fully qualified domain name of a network host. This matches
- the RFC 1123 definition of a hostname with 2 notable exceptions:
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- 1. IPs are not allowed.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
- label must appear by itself as the first label.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
- Hostname can be "precise" which is a domain name without the terminating
- dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
- domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
- Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
- alphanumeric characters or '-', and must start and end with an alphanumeric
- character. No other punctuation is allowed.
- maxLength: 253
- minLength: 1
- pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- maxItems: 16
- type: array
- parentRefs:
- description: |-
- ParentRefs references the resources (usually Gateways) that a Route wants
- to be attached to. Note that the referenced parent resource needs to
- allow this for the attachment to be complete. For Gateways, that means
- the Gateway needs to allow attachment from Routes of this kind and
- namespace. For Services, that means the Service must either be in the same
- namespace for a "producer" route, or the mesh implementation must support
- and allow "consumer" routes for the referenced Service. ReferenceGrant is
- not applicable for governing ParentRefs to Services - it is not possible to
- create a "producer" route for a Service in a different namespace from the
- Route.
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+ enum:
+ - ResponseHeaderModifier
+ - RequestHeaderModifier
+ - RequestMirror
+ - ExtensionRef
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ matches:
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ gRPC requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
- There are two kinds of parent resources with "Core" support:
+ For example, take the following matches configuration:
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ ```
+ matches:
+ - method:
+ service: foo.bar
+ headers:
+ values:
+ version: 2
+ - method:
+ service: foo.bar.v2
+ ```
- This API may be extended in the future to support additional kinds of parent
- resources.
+ For a request to match against this rule, it MUST satisfy
+ EITHER of the two conditions:
- ParentRefs must be _distinct_. This means either that:
+ - service of foo.bar AND contains the header `version: 2`
+ - service of foo.bar.v2
- * They select different objects. If this is the case, then parentRef
- entries are distinct. In terms of fields, this means that the
- multi-part key defined by `group`, `kind`, `namespace`, and `name` must
- be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field used,
- each ParentRef that selects the same object must set the same set of
- optional fields to different values. If one ParentRef sets a
- combination of optional fields, all must set the same combination.
+ See the documentation for GRPCRouteMatch on how to specify multiple
+ match conditions to be ANDed together.
- Some examples:
+ If no matches are specified, the implementation MUST match every gRPC request.
- * If one ParentRef sets `sectionName`, all ParentRefs referencing the
- same object must also set `sectionName`.
- * If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`.
- * If one ParentRef sets `sectionName` and `port`, all ParentRefs
- referencing the same object must also set `sectionName` and `port`.
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes
+ MUST prioritize rules based on the following criteria, continuing on
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+ Precedence MUST be given to the rule with the largest number of:
- It is possible to separately reference multiple distinct objects that may
- be collapsed by an implementation. For example, some implementations may
- choose to merge compatible Gateway Listeners together. If that is the
- case, the list of routes attached to those resources should also be
- merged.
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+ * Characters in a matching service.
+ * Characters in a matching method.
+ * Header matches.
- Note that for ParentRefs that cross namespace boundaries, there are specific
- rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example,
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable other kinds of cross-namespace reference.
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ If ties still exist within the Route that has been given precedence,
+ matching precedence MUST be granted to the first matching rule meeting
+ the above criteria.
+ items:
+ description: |-
+ GRPCRouteMatch defines the predicate used to match requests to a given
+ action. Multiple match types are ANDed together, i.e. the match will
+ evaluate to true only if all conditions are satisfied.
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
- items:
- description: |-
- ParentReference identifies an API object (usually a Gateway) that can be considered
- a parent of this resource (usually a route). There are two kinds of parent resources
- with "Core" support:
+ For example, the match below will match a gRPC request only if its service
+ is `foo` AND it contains the `version: v1` header:
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ ```
+ matches:
+ - method:
+ type: Exact
+ service: "foo"
+ headers:
+ - name: "version"
+ value "v1"
- This API may be extended in the future to support additional kinds of parent
- resources.
+ ```
+ properties:
+ headers:
+ description: |-
+ Headers specifies gRPC request header matchers. Multiple match values are
+ ANDed together, meaning, a request MUST match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the gRPC Header to be matched.
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of the gRPC Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies a gRPC request service/method matcher. If this field is
+ not specified, all services and methods will match.
+ properties:
+ method:
+ description: |-
+ Value of the method to match against. If left empty or omitted, will
+ match all services.
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ service:
+ description: |-
+ Value of the service to match against. If left empty or omitted, will
+ match any service.
- There are two kinds of parent resources with "Core" support:
+ At least one of Service and Method MUST be a non-empty string.
+ maxLength: 1024
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the service and/or method.
+ Support: Core (Exact with service and method specified)
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Support: Implementation-specific (Exact with method specified but no service specified)
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: One or both of 'service' or 'method' must be
+ specified
+ rule: 'has(self.type) ? has(self.service) || has(self.method)
+ : true'
+ - message: service must only contain valid characters
+ (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):
+ true'
+ - message: method must only contain valid characters (matching
+ ^[A-Za-z_][A-Za-z_0-9]*$)
+ rule: '(!has(self.type) || self.type == ''Exact'') &&
+ has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
+ true'
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
name:
description: |-
- Name is the name of the referent.
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
- Support: Core
+ Support: Extended
maxLength: 253
minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
-
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
-
-
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
-
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
-
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
+ sessionPersistence:
description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
+ SessionPersistence defines and configures session persistence
+ for the route rule.
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
+ Support: Extended
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
+ Defaults to "Session".
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
+ Support: Core for "Session" type
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
+ Support: Core for "Cookie" type
+
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
type: object
- maxItems: 32
+ maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- - message: sectionName or port must be specified when parentRefs includes
- 2 or more references to the same parent
- rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
- || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
- p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
- || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
- || p2.port == 0)): true))'
- - message: sectionName or port must be unique when parentRefs includes
- 2 or more references to the same parent
- rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
- || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
- == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
- p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
- || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
- == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
- == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
- == p2.port))))
- rules:
- description: Rules are a list of GRPC matchers, filters and actions.
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()
+ : 0) : 0) <= 128'
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
+ type: object
+ status:
+ description: Status defines the current state of GRPCRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
description: |-
- GRPCRouteRule defines the semantics for matching a gRPC request based on
- conditions (matches), processing it (filters), and forwarding the request to
- an API object (backendRefs).
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
- backendRefs:
+ conditions:
description: |-
- BackendRefs defines the backend(s) where matching requests should be
- sent.
-
- Failure behavior here depends on how many BackendRefs are specified and
- how many are invalid.
-
- If *all* entries in BackendRefs are invalid, and there are also no filters
- specified in this route rule, *all* traffic which matches this rule MUST
- receive an `UNAVAILABLE` status.
-
- See the GRPCBackendRef definition for the rules about what makes a single
- GRPCBackendRef invalid.
-
- When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
- requests that would have otherwise been routed to an invalid backend. If
- multiple backends are specified, and some are invalid, the proportion of
- requests that would otherwise have been routed to an invalid backend
- MUST receive an `UNAVAILABLE` status.
-
- For example, if two backends are specified with equal weights, and one is
- invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
- Implementations may choose how that 50 percent is determined.
-
- Support: Core for Kubernetes Service
-
- Support: Implementation-specific for any other resource
-
- Support for weight: Core
- items:
- description: |-
- GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
-
- Note that when a namespace different than the local namespace is specified, a
- ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
- When the BackendRef points to a Kubernetes Service, implementations SHOULD
- honor the appProtocol field if it is set for the target Service Port.
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
- Implementations supporting appProtocol SHOULD recognize the Kubernetes
- Standard Application Protocols defined in KEP-3726.
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
- If a Service appProtocol isn't specified, an implementation MAY infer the
- backend protocol through its own means. Implementations MAY infer the
- protocol from the Route type referring to the backend Service.
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
- If a Route is not able to send traffic to the backend using the specified
- protocol then the backend is considered invalid. Implementations MUST set the
- "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+ * The Route refers to a nonexistent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
- filters:
+ lastTransitionTime:
description: |-
- Filters defined at this level MUST be executed if and only if the
- request is being forwarded to the backend defined here.
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
- Support: Implementation-specific (For broader support of filters, use the
- Filters field in GRPCRouteRule.)
- items:
- description: |-
- GRPCRouteFilter defines processing steps that must be completed during the
- request or response lifecycle. GRPCRouteFilters are meant as an extension
- point to express processing that may be done in Gateway implementations. Some
- examples include request or response modification, implementing
- authentication strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type of the filter.
- properties:
- extensionRef:
- description: |-
- ExtensionRef is an optional, implementation-specific extension to the
- "filter" behavior. For example, resource "myroutefilter" in group
- "networking.example.net"). ExtensionRef MUST NOT be used for core and
- extended filters.
+ Example: "example.net/gateway-controller".
- Support: Implementation-specific
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- This filter can be used multiple times within the same rule.
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For
- example "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- requestHeaderModifier:
- description: |-
- RequestHeaderModifier defines a schema for a filter that modifies request
- headers.
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
- Support: Core
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ There are two kinds of parent resources with "Core" support:
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
- Config:
- remove: ["my-header1", "my-header3"]
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
- Config:
- set:
- - name: "my-header"
- value: "bar"
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- requestMirror:
- description: |-
- RequestMirror defines a schema for a filter that mirrors requests.
- Requests are sent to the specified destination, but responses from
- that destination are ignored.
- This filter can be used multiple times within the same rule. Note that
- not all implementations will be able to support mirroring to multiple
- backends.
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
- Support: Extended
- properties:
- backendRef:
- description: |-
- BackendRef references a resource where mirrored requests are sent.
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
- Mirrored requests must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many endpoints are present
- within this BackendRef.
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
- If the referent cannot be found, this BackendRef is invalid and must be
- dropped from the Gateway. The controller must ensure the "ResolvedRefs"
- condition on the Route status is set to `status: False` and not configure
- this backend in the underlying implementation.
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
- If there is a cross-namespace reference to an *existing* object
- that is not allowed by a ReferenceGrant, the controller must ensure the
- "ResolvedRefs" condition on the Route is set to `status: False`,
- with the "RefNotPermitted" reason and not configure this backend in the
- underlying implementation.
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
- In either error case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about the problem.
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
- Support: Extended for Kubernetes Service
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - conditions
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.4.1
+ gateway.networking.k8s.io/channel: experimental
+ name: httproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: HTTPRoute
+ listKind: HTTPRouteList
+ plural: httproutes
+ singular: httproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
- Support: Implementation-specific for any other resource
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
- Defaults to "Service" when not specified.
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
- Support: Core (Services with a type other than ExternalName)
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind
- == ''Service'') ? has(self.port) : true'
- fraction:
- description: |-
- Fraction represents the fraction of requests that should be
- mirrored to BackendRef.
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- properties:
- denominator:
- default: 100
- format: int32
- minimum: 1
- type: integer
- numerator:
- format: int32
- minimum: 0
- type: integer
- required:
- - numerator
- type: object
- x-kubernetes-validations:
- - message: numerator must be less than or equal
- to denominator
- rule: self.numerator <= self.denominator
- percent:
- description: |-
- Percent represents the percentage of requests that should be
- mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
- requests) and its maximum value is 100 (indicating 100% of requests).
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- required:
- - backendRef
- type: object
- x-kubernetes-validations:
- - message: Only one of percent or fraction may be
- specified in HTTPRequestMirrorFilter
- rule: '!(has(self.percent) && has(self.fraction))'
- responseHeaderModifier:
- description: |-
- ResponseHeaderModifier defines a schema for a filter that modifies response
- headers.
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
- Support: Extended
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ parentRefs:
+ description: |-
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ There are two kinds of parent resources with "Core" support:
- Config:
- remove: ["my-header1", "my-header3"]
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ This API may be extended in the future to support additional kinds of parent
+ resources.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ ParentRefs must be _distinct_. This means either that:
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Some examples:
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type:
- description: |-
- Type identifies the type of filter to apply. As with other API fields,
- types are classified into three conformance levels:
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
- - Core: Filter types and their corresponding configuration defined by
- "Support: Core" in this package, e.g. "RequestHeaderModifier". All
- implementations supporting GRPCRoute MUST support core filters.
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
- - Extended: Filter types and their corresponding configuration defined by
- "Support: Extended" in this package, e.g. "RequestMirror". Implementers
- are encouraged to support extended filters.
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
- - Implementation-specific: Filters that are defined and supported by specific vendors.
- In the future, filters showing convergence in behavior across multiple
- implementations will be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type` MUST be set to
- "ExtensionRef" for custom filters.
- Implementers are encouraged to define custom implementation types to
- extend the core API with implementation-specific behavior.
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- If a reference to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have been processed by
- that filter MUST receive a HTTP error response.
- enum:
- - ResponseHeaderModifier
- - RequestHeaderModifier
- - RequestMirror
- - ExtensionRef
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: filter.requestHeaderModifier must be nil
- if the filter.type is not RequestHeaderModifier
- rule: '!(has(self.requestHeaderModifier) && self.type
- != ''RequestHeaderModifier'')'
- - message: filter.requestHeaderModifier must be specified
- for RequestHeaderModifier filter.type
- rule: '!(!has(self.requestHeaderModifier) && self.type
- == ''RequestHeaderModifier'')'
- - message: filter.responseHeaderModifier must be nil
- if the filter.type is not ResponseHeaderModifier
- rule: '!(has(self.responseHeaderModifier) && self.type
- != ''ResponseHeaderModifier'')'
- - message: filter.responseHeaderModifier must be specified
- for ResponseHeaderModifier filter.type
- rule: '!(!has(self.responseHeaderModifier) && self.type
- == ''ResponseHeaderModifier'')'
- - message: filter.requestMirror must be nil if the filter.type
- is not RequestMirror
- rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
- - message: filter.requestMirror must be specified for
- RequestMirror filter.type
- rule: '!(!has(self.requestMirror) && self.type ==
- ''RequestMirror'')'
- - message: filter.extensionRef must be nil if the filter.type
- is not ExtensionRef
- rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
- - message: filter.extensionRef must be specified for
- ExtensionRef filter.type
- rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: RequestHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
- <= 1
- - message: ResponseHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
- <= 1
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
- Defaults to "Service" when not specified.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ This API may be extended in the future to support additional kinds of parent
+ resources.
- Support: Core (Services with a type other than ExternalName)
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ There are two kinds of parent resources with "Core" support:
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- description: |-
- Weight specifies the proportion of requests forwarded to the referenced
- backend. This is computed as weight/(sum of all weights in this
- BackendRefs list). For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision an
- implementation supports. Weight is not a percentage and the sum of
- weights does not need to equal 100.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- If only one backend is specified and it has a weight greater than 0, 100%
- of the traffic is forwarded to that backend. If weight is set to 0, no
- traffic should be forwarded for this entry. If unspecified, weight
- defaults to 1.
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
- Support for this field varies based on the context where used.
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- maxItems: 16
- type: array
- filters:
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
description: |-
- Filters define the filters that are applied to requests that match
- this rule.
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
- The effects of ordering of multiple behaviors are currently unspecified.
- This can change in the future based on feedback during the alpha stage.
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
- Conformance-levels at this level are defined based on the type of filter:
- - ALL core filters MUST be supported by all implementations that support
- GRPCRoute.
- - Implementers are encouraged to support extended filters.
- - Implementation-specific custom filters have no API guarantees across
- implementations.
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- Specifying the same filter multiple times is not supported unless explicitly
- indicated in the filter.
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
- If an implementation cannot support a combination of filters, it must clearly
- document that limitation. In cases where incompatible or unsupported
- filters are specified and cause the `Accepted` condition to be set to status
- `False`, implementations may use the `IncompatibleFilters` reason to specify
- this configuration error.
Support: Core
- items:
- description: |-
- GRPCRouteFilter defines processing steps that must be completed during the
- request or response lifecycle. GRPCRouteFilters are meant as an extension
- point to express processing that may be done in Gateway implementations. Some
- examples include request or response modification, implementing
- authentication strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type of the filter.
- properties:
- extensionRef:
- description: |-
- ExtensionRef is an optional, implementation-specific extension to the
- "filter" behavior. For example, resource "myroutefilter" in group
- "networking.example.net"). ExtensionRef MUST NOT be used for core and
- extended filters.
-
- Support: Implementation-specific
-
- This filter can be used multiple times within the same rule.
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For example
- "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- requestHeaderModifier:
- description: |-
- RequestHeaderModifier defines a schema for a filter that modifies request
- headers.
-
- Support: Core
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
-
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
- Config:
- remove: ["my-header1", "my-header3"]
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- requestMirror:
- description: |-
- RequestMirror defines a schema for a filter that mirrors requests.
- Requests are sent to the specified destination, but responses from
- that destination are ignored.
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
- This filter can be used multiple times within the same rule. Note that
- not all implementations will be able to support mirroring to multiple
- backends.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: Rules are a list of HTTP matchers, filters and actions.
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
- Support: Extended
- properties:
- backendRef:
- description: |-
- BackendRef references a resource where mirrored requests are sent.
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
- Mirrored requests must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many endpoints are present
- within this BackendRef.
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
- If the referent cannot be found, this BackendRef is invalid and must be
- dropped from the Gateway. The controller must ensure the "ResolvedRefs"
- condition on the Route status is set to `status: False` and not configure
- this backend in the underlying implementation.
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
- If there is a cross-namespace reference to an *existing* object
- that is not allowed by a ReferenceGrant, the controller must ensure the
- "ResolvedRefs" condition on the Route is set to `status: False`,
- with the "RefNotPermitted" reason and not configure this backend in the
- underlying implementation.
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
- In either error case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about the problem.
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
- Support: Extended for Kubernetes Service
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
- Support: Implementation-specific for any other resource
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ Support: Core for Kubernetes Service
- Defaults to "Service" when not specified.
+ Support: Extended for Kubernetes ServiceImport
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ Support: Implementation-specific for any other resource
- Support: Core (Services with a type other than ExternalName)
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- fraction:
- description: |-
- Fraction represents the fraction of requests that should be
- mirrored to BackendRef.
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- properties:
- denominator:
- default: 100
- format: int32
- minimum: 1
- type: integer
- numerator:
- format: int32
- minimum: 0
- type: integer
- required:
- - numerator
- type: object
- x-kubernetes-validations:
- - message: numerator must be less than or equal to
- denominator
- rule: self.numerator <= self.denominator
- percent:
- description: |-
- Percent represents the percentage of requests that should be
- mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
- requests) and its maximum value is 100 (indicating 100% of requests).
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- required:
- - backendRef
- type: object
- x-kubernetes-validations:
- - message: Only one of percent or fraction may be specified
- in HTTPRequestMirrorFilter
- rule: '!(has(self.percent) && has(self.fraction))'
- responseHeaderModifier:
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+ properties:
+ filters:
description: |-
- ResponseHeaderModifier defines a schema for a filter that modifies response
- headers.
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
- Support: Extended
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
+
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+ response header with value true (case-sensitive).
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ When set to false or omitted the gateway will omit the header
+ `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+ behavior).
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
+ Support: Extended
+ type: boolean
+ allowHeaders:
description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Header names are not case sensitive.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
- Config:
- remove: ["my-header1", "my-header3"]
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
+ When the `AllowCredentials` field is true and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
+
+ Valid values include:
+
+ * "Authorization"
+ * "Set-Cookie"
+
+ Invalid values include:
+
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type:
- description: |-
- Type identifies the type of filter to apply. As with other API fields,
- types are classified into three conformance levels:
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
- - Core: Filter types and their corresponding configuration defined by
- "Support: Core" in this package, e.g. "RequestHeaderModifier". All
- implementations supporting GRPCRoute MUST support core filters.
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
- - Extended: Filter types and their corresponding configuration defined by
- "Support: Extended" in this package, e.g. "RequestMirror". Implementers
- are encouraged to support extended filters.
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
- - Implementation-specific: Filters that are defined and supported by specific vendors.
- In the future, filters showing convergence in behavior across multiple
- implementations will be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type` MUST be set to
- "ExtensionRef" for custom filters.
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
- Implementers are encouraged to define custom implementation types to
- extend the core API with implementation-specific behavior.
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
- If a reference to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have been processed by
- that filter MUST receive a HTTP error response.
- enum:
- - ResponseHeaderModifier
- - RequestHeaderModifier
- - RequestMirror
- - ExtensionRef
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: filter.requestHeaderModifier must be nil if the
- filter.type is not RequestHeaderModifier
- rule: '!(has(self.requestHeaderModifier) && self.type !=
- ''RequestHeaderModifier'')'
- - message: filter.requestHeaderModifier must be specified
- for RequestHeaderModifier filter.type
- rule: '!(!has(self.requestHeaderModifier) && self.type ==
- ''RequestHeaderModifier'')'
- - message: filter.responseHeaderModifier must be nil if the
- filter.type is not ResponseHeaderModifier
- rule: '!(has(self.responseHeaderModifier) && self.type !=
- ''ResponseHeaderModifier'')'
- - message: filter.responseHeaderModifier must be specified
- for ResponseHeaderModifier filter.type
- rule: '!(!has(self.responseHeaderModifier) && self.type
- == ''ResponseHeaderModifier'')'
- - message: filter.requestMirror must be nil if the filter.type
- is not RequestMirror
- rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
- - message: filter.requestMirror must be specified for RequestMirror
- filter.type
- rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
- - message: filter.extensionRef must be nil if the filter.type
- is not ExtensionRef
- rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
- - message: filter.extensionRef must be specified for ExtensionRef
- filter.type
- rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: RequestHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
- <= 1
- - message: ResponseHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
- <= 1
- matches:
- description: |-
- Matches define conditions used for matching the rule against incoming
- gRPC requests. Each match is independent, i.e. this rule will be matched
- if **any** one of the matches is satisfied.
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
+
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
+
+ When the `AllowCredentials` field is true and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
- For example, take the following matches configuration:
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
- ```
- matches:
- - method:
- service: foo.bar
- headers:
- values:
- version: 2
- - method:
- service: foo.bar.v2
- ```
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
- For a request to match against this rule, it MUST satisfy
- EITHER of the two conditions:
+ Valid values for scheme are: `http` and `https`.
- - service of foo.bar AND contains the header `version: 2`
- - service of foo.bar.v2
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
- See the documentation for GRPCRouteMatch on how to specify multiple
- match conditions to be ANDed together.
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
- If no matches are specified, the implementation MUST match every gRPC request.
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
- Proxy or Load Balancer routing configuration generated from GRPCRoutes
- MUST prioritize rules based on the following criteria, continuing on
- ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
- Precedence MUST be given to the rule with the largest number of:
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
- * Characters in a matching non-wildcard hostname.
- * Characters in a matching hostname.
- * Characters in a matching service.
- * Characters in a matching method.
- * Header matches.
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
- If ties still exist across multiple Routes, matching precedence MUST be
- determined in order of the following criteria, continuing on ties:
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
- * The oldest Route based on creation timestamp.
- * The Route appearing first in alphabetical order by
- "{namespace}/{name}".
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
- If ties still exist within the Route that has been given precedence,
- matching precedence MUST be granted to the first matching rule meeting
- the above criteria.
- items:
- description: |-
- GRPCRouteMatch defines the predicate used to match requests to a given
- action. Multiple match types are ANDed together, i.e. the match will
- evaluate to true only if all conditions are satisfied.
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- For example, the match below will match a gRPC request only if its service
- is `foo` AND it contains the `version: v1` header:
+ When the `AllowCredentials` field is true and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
- ```
- matches:
- - method:
- type: Exact
- service: "foo"
- headers:
- - name: "version"
- value "v1"
+ Support: Extended
+ items:
+ description: |-
+ The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The CORSOrigin MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ URIs that include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowOrigins cannot contain '*' alongside
+ other origins
+ rule: '!(''*'' in self && self.size() > 1)'
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
- ```
- properties:
- headers:
- description: |-
- Headers specifies gRPC request header matchers. Multiple match values are
- ANDed together, meaning, a request MUST match all the specified headers
- to select the route.
- items:
- description: |-
- GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
- headers.
- properties:
- name:
- description: |-
- Name is the name of the gRPC Header to be matched.
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
- If multiple entries specify equivalent header names, only the first
- entry with an equivalent name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- description: Type specifies how to match against
- the value of the header.
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- description: Value is the value of the gRPC Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- method:
- description: |-
- Method specifies a gRPC request service/method matcher. If this field is
- not specified, all services and methods will match.
- properties:
- method:
- description: |-
- Value of the method to match against. If left empty or omitted, will
- match all services.
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
- At least one of Service and Method MUST be a non-empty string.
- maxLength: 1024
- type: string
- service:
- description: |-
- Value of the service to match against. If left empty or omitted, will
- match any service.
+ Header names are not case sensitive.
- At least one of Service and Method MUST be a non-empty string.
- maxLength: 1024
- type: string
- type:
- default: Exact
- description: |-
- Type specifies how to match against the service and/or method.
- Support: Core (Exact with service and method specified)
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
- Support: Implementation-specific (Exact with method specified but no service specified)
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
- Support: Implementation-specific (RegularExpression)
- enum:
- - Exact
- - RegularExpression
- type: string
- type: object
- x-kubernetes-validations:
- - message: One or both of 'service' or 'method' must be
- specified
- rule: 'has(self.type) ? has(self.service) || has(self.method)
- : true'
- - message: service must only contain valid characters
- (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$)
- rule: '(!has(self.type) || self.type == ''Exact'') &&
- has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""):
- true'
- - message: method must only contain valid characters (matching
- ^[A-Za-z_][A-Za-z_0-9]*$)
- rule: '(!has(self.type) || self.type == ''Exact'') &&
- has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""):
- true'
- type: object
- maxItems: 64
- type: array
- name:
- description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- Support: Extended
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- sessionPersistence:
- description: |-
- SessionPersistence defines and configures session persistence
- for the route rule.
+ Valid values include:
- Support: Extended
- properties:
- absoluteTimeout:
- description: |-
- AbsoluteTimeout defines the absolute timeout of the persistent
- session. Once the AbsoluteTimeout duration has elapsed, the
- session becomes invalid.
+ * "Authorization"
+ * "Set-Cookie"
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- cookieConfig:
- description: |-
- CookieConfig provides configuration settings that are specific
- to cookie-based session persistence.
+ Invalid values include:
- Support: Core
- properties:
- lifetimeType:
- default: Session
- description: |-
- LifetimeType specifies whether the cookie has a permanent or
- session-based lifetime. A permanent cookie persists until its
- specified expiry time, defined by the Expires or Max-Age cookie
- attributes, while a session cookie is deleted when the current
- session ends.
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
- When set to "Permanent", AbsoluteTimeout indicates the
- cookie's lifetime via the Expires or Max-Age cookie attributes
- and is required.
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
- When set to "Session", AbsoluteTimeout indicates the
- absolute lifetime of the cookie tracked by the gateway and
- is optional.
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
- Defaults to "Session".
+ This filter can be used multiple times within the same rule.
- Support: Core for "Session" type
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ externalAuth:
+ description: |-
+ ExternalAuth configures settings related to sending request details
+ to an external auth service. The external service MUST authenticate
+ the request, and MAY authorize the request as well.
- Support: Extended for "Permanent" type
- enum:
- - Permanent
- - Session
- type: string
- type: object
- idleTimeout:
- description: |-
- IdleTimeout defines the idle timeout of the persistent session.
- Once the session has been idle for more than the specified
- IdleTimeout duration, the session becomes invalid.
+ If there is any problem communicating with the external service,
+ this filter MUST fail closed.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- sessionName:
- description: |-
- SessionName defines the name of the persistent session token
- which may be reflected in the cookie or the header. Users
- should avoid reusing session names to prevent unintended
- consequences, such as rejection or unpredictable behavior.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef is a reference to a backend to send authorization
+ requests to.
- Support: Implementation-specific
- maxLength: 128
- type: string
- type:
- default: Cookie
- description: |-
- Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
- persistence.
+ The backend must speak the selected protocol (GRPC or HTTP) on the
+ referenced port.
- Support: Core for "Cookie" type
+ If the backend service requires TLS, use BackendTLSPolicy to tell the
+ implementation to supply the TLS details to be used to connect to that
+ backend.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- Support: Extended for "Header" type
- enum:
- - Cookie
- - Header
- type: string
- type: object
- x-kubernetes-validations:
- - message: AbsoluteTimeout must be specified when cookie lifetimeType
- is Permanent
- rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
- || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
- type: object
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: While 16 rules and 64 matches per rule are allowed, the
- total number of matches across all rules in a route must be less
- than 128
- rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()
- : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()
- : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()
- : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()
- : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()
- : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()
- : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()
- : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()
- : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()
- : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()
- : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()
- : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()
- : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()
- : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()
- : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()
- : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()
- : 0) : 0) <= 128'
- - message: Rule name must be unique within the route
- rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
- && l1.name == l2.name))
- type: object
- status:
- description: Status defines the current state of GRPCRoute.
- properties:
- parents:
- description: |-
- Parents is a list of parent resources (usually Gateways) that are
- associated with the route, and the status of the route with respect to
- each parent. When this route attaches to a parent, the controller that
- manages the parent must add an entry to this list when the controller
- first sees the route and should update the entry as appropriate when the
- route or gateway is modified.
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ forwardBody:
+ description: |-
+ ForwardBody controls if requests to the authorization server should include
+ the body of the client request; and if so, how big that body is allowed
+ to be.
- Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this API
- can only populate Route status for the Gateways/parent resources they are
- responsible for.
+ It is expected that implementations will buffer the request body up to
+ `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+ 4xx series error (413 or 403 are common examples), and fail processing
+ of the filter.
- A maximum of 32 Gateways will be represented in this list. An empty list
- means the route has not been attached to any Gateway.
- items:
- description: |-
- RouteParentStatus describes the status of a route with respect to an
- associated Parent.
- properties:
- conditions:
- description: |-
- Conditions describes the status of the route with respect to the Gateway.
- Note that the route's availability is also subject to the Gateway's own
- status conditions and listener status.
+ If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+ be forwarded.
- If the Route's ParentRef specifies an existing Gateway that supports
- Routes of this kind AND that Gateway's controller has sufficient access,
- then that Gateway's controller MUST set the "Accepted" condition on the
- Route, to indicate whether the route has been accepted or rejected by the
- Gateway, and why.
+ Feature Name: HTTPRouteExternalAuthForwardBody
+ properties:
+ maxSize:
+ description: |-
+ MaxSize specifies how large in bytes the largest body that will be buffered
+ and sent to the authorization server. If the body size is larger than
+ `maxSize`, then the body sent to the authorization server must be
+ truncated to `maxSize` bytes.
- A Route MUST be considered "Accepted" if at least one of the Route's
- rules is implemented by the Gateway.
+ Experimental note: This behavior needs to be checked against
+ various dataplanes; it may need to be changed.
+ See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+ for more.
- There are a number of cases where the "Accepted" condition may not be set
- due to lack of controller visibility, that includes when:
+ If 0, the body will not be sent to the authorization server.
+ type: integer
+ type: object
+ grpc:
+ description: |-
+ GRPCAuthConfig contains configuration for communication with ext_authz
+ protocol-speaking backends.
- * The Route refers to a nonexistent parent.
- * The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
- items:
- description: Condition contains details for one aspect of
- the current state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- controllerName:
- description: |-
- ControllerName is a domain/path string that indicates the name of the
- controller that wrote this status. This corresponds with the
- controllerName field on GatewayClass.
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what headers from the client request
+ will be sent to the authorization server.
- Example: "example.net/gateway-controller".
+ If this list is empty, then all headers must be sent.
- The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
- valid Kubernetes names
- (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ If the list has entries, only those entries must be sent.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ http:
+ description: |-
+ HTTPAuthConfig contains configuration for communication with HTTP-speaking
+ backends.
- Controllers MUST populate this field when writing status. Controllers should ensure that
- entries to status populated with their ControllerName are cleaned up when they are no
- longer necessary.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- parentRef:
- description: |-
- ParentRef corresponds with a ParentRef in the spec that this
- RouteParentStatus struct describes the status of.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what additional headers from the client request
+ will be sent to the authorization server.
+
+ The following headers must always be sent to the authorization server,
+ regardless of this setting:
+
+ * `Host`
+ * `Method`
+ * `Path`
+ * `Content-Length`
+ * `Authorization`
+
+ If this list is empty, then only those headers must be sent.
+
+ Note that `Content-Length` has a special behavior, in that the length
+ sent must be correct for the actual request to the external authorization
+ server - that is, it must reflect the actual number of bytes sent in the
+ body of the request to the authorization server.
+
+ So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+ to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+ to anything other than `0`, then the `Content-Length` of the authorization
+ request must be set to the actual number of bytes forwarded.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ allowedResponseHeaders:
+ description: |-
+ AllowedResponseHeaders specifies what headers from the authorization response
+ will be copied into the request to the backend.
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
+ If this list is empty, then all headers from the authorization server
+ except Authority or Host must be copied.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ path:
+ description: |-
+ Path sets the prefix that paths from the client request will have added
+ when forwarded to the authorization server.
- There are two kinds of parent resources with "Core" support:
+ When empty or unspecified, no prefix is added.
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Valid values are the same as the "value" regex for path values in the `match`
+ stanza, and the validation regex will screen out invalid paths in the same way.
+ Even with the validation, implementations MUST sanitize this input before using it
+ directly.
+ maxLength: 1024
+ pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$
+ type: string
+ type: object
+ protocol:
+ description: |-
+ ExternalAuthProtocol describes which protocol to use when communicating with an
+ ext_authz authorization server.
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
+ When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+ on the port specified in `backendRefs`. Requests and responses are defined
+ in the protobufs explained at:
+ https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
+ When this is set to HTTP, each backend must respond with a `200` status
+ code in on a successful authorization. Any other code is considered
+ an authorization failure.
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
+ Feature Names:
+ GRPC Support - HTTPRouteExternalAuthGRPC
+ HTTP Support - HTTPRouteExternalAuthHTTP
+ enum:
+ - HTTP
+ - GRPC
+ type: string
+ required:
+ - backendRef
+ - protocol
+ type: object
+ x-kubernetes-validations:
+ - message: grpc must be specified when protocol
+ is set to 'GRPC'
+ rule: 'self.protocol == ''GRPC'' ? has(self.grpc)
+ : true'
+ - message: protocol must be 'GRPC' when grpc is
+ set
+ rule: 'has(self.grpc) ? self.protocol == ''GRPC''
+ : true'
+ - message: http must be specified when protocol
+ is set to 'HTTP'
+ rule: 'self.protocol == ''HTTP'' ? has(self.http)
+ : true'
+ - message: protocol must be 'HTTP' when http is
+ set
+ rule: 'has(self.http) ? self.protocol == ''HTTP''
+ : true'
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |-
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
+ Support: Extended for Kubernetes Service
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
+ Defaults to "Service" when not specified.
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- required:
- - controllerName
- - parentRef
- type: object
- maxItems: 32
- type: array
- required:
- - parents
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
-# config/crd/experimental/gateway.networking.k8s.io_httproutes.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
- gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- name: httproutes.gateway.networking.k8s.io
-spec:
- group: gateway.networking.k8s.io
- names:
- categories:
- - gateway-api
- kind: HTTPRoute
- listKind: HTTPRouteList
- plural: httproutes
- singular: httproute
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .spec.hostnames
- name: Hostnames
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- HTTPRoute provides a way to route HTTP requests. This includes the capability
- to match requests by hostname, path, header, or query param. Filters can be
- used to specify additional processing steps. Backends specify where matching
- requests should be routed.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of HTTPRoute.
- properties:
- hostnames:
- description: |-
- Hostnames defines a set of hostnames that should match against the HTTP Host
- header to select a HTTPRoute used to process the request. Implementations
- MUST ignore any port value specified in the HTTP Host header while
- performing a match and (absent of any applicable header modification
- configuration) MUST forward this header unmodified to the backend.
+ Support: Core (Services with a type other than ExternalName)
- Valid values for Hostnames are determined by RFC 1123 definition of a
- hostname with 2 notable exceptions:
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- 1. IPs are not allowed.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
- label must appear by itself as the first label.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- If a hostname is specified by both the Listener and HTTPRoute, there
- must be at least one intersecting hostname for the HTTPRoute to be
- attached to the Listener. For example:
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ fraction:
+ description: |-
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
- * A Listener with `test.example.com` as the hostname matches HTTPRoutes
- that have either not specified any hostnames, or have specified at
- least one of `test.example.com` or `*.example.com`.
- * A Listener with `*.example.com` as the hostname matches HTTPRoutes
- that have either not specified any hostnames or have specified at least
- one hostname that matches the Listener hostname. For example,
- `*.example.com`, `test.example.com`, and `foo.test.example.com` would
- all match. On the other hand, `example.com` and `test.example.net` would
- not match.
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal
+ to denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |-
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
- Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com` would match
- both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be
+ specified in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
- If both the Listener and HTTPRoute have specified hostnames, any
- HTTPRoute hostnames that do not match the Listener hostname MUST be
- ignored. For example, if a Listener specified `*.example.com`, and the
- HTTPRoute specified `test.example.com` and `test.example.net`,
- `test.example.net` must not be considered for a match.
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
- If both the Listener and HTTPRoute have specified hostnames, and none
- match with the criteria above, then the HTTPRoute is not accepted. The
- implementation must raise an 'Accepted' Condition with a status of
- `False` in the corresponding RouteParentStatus.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
- In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
- overlapping wildcard matching and exact matching hostnames), precedence must
- be given to rules from the HTTPRoute with the largest number of:
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- * Characters in a matching non-wildcard hostname.
- * Characters in a matching hostname.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- If ties exist across multiple Routes, the matching precedence rules for
- HTTPRouteMatches takes over.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- Support: Core
- items:
- description: |-
- Hostname is the fully qualified domain name of a network host. This matches
- the RFC 1123 definition of a hostname with 2 notable exceptions:
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- 1. IPs are not allowed.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
- label must appear by itself as the first label.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Hostname can be "precise" which is a domain name without the terminating
- dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
- domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
- Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
- alphanumeric characters or '-', and must start and end with an alphanumeric
- character. No other punctuation is allowed.
- maxLength: 253
- minLength: 1
- pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- maxItems: 16
- type: array
- parentRefs:
- description: |-
- ParentRefs references the resources (usually Gateways) that a Route wants
- to be attached to. Note that the referenced parent resource needs to
- allow this for the attachment to be complete. For Gateways, that means
- the Gateway needs to allow attachment from Routes of this kind and
- namespace. For Services, that means the Service must either be in the same
- namespace for a "producer" route, or the mesh implementation must support
- and allow "consumer" routes for the referenced Service. ReferenceGrant is
- not applicable for governing ParentRefs to Services - it is not possible to
- create a "producer" route for a Service in a different namespace from the
- Route.
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
- There are two kinds of parent resources with "Core" support:
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- This API may be extended in the future to support additional kinds of parent
- resources.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- ParentRefs must be _distinct_. This means either that:
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
- * They select different objects. If this is the case, then parentRef
- entries are distinct. In terms of fields, this means that the
- multi-part key defined by `group`, `kind`, `namespace`, and `name` must
- be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field used,
- each ParentRef that selects the same object must set the same set of
- optional fields to different values. If one ParentRef sets a
- combination of optional fields, all must set the same combination.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Some examples:
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- * If one ParentRef sets `sectionName`, all ParentRefs referencing the
- same object must also set `sectionName`.
- * If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`.
- * If one ParentRef sets `sectionName` and `port`, all ParentRefs
- referencing the same object must also set `sectionName` and `port`.
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
- It is possible to separately reference multiple distinct objects that may
- be collapsed by an implementation. For example, some implementations may
- choose to merge compatible Gateway Listeners together. If that is the
- case, the list of routes attached to those resources should also be
- merged.
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
- Note that for ParentRefs that cross namespace boundaries, there are specific
- rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example,
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable other kinds of cross-namespace reference.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
- items:
- description: |-
- ParentReference identifies an API object (usually a Gateway) that can be considered
- a parent of this resource (usually a route). There are two kinds of parent resources
- with "Core" support:
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- This API may be extended in the future to support additional kinds of parent
- resources.
+ Config:
+ remove: ["my-header1", "my-header3"]
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- There are two kinds of parent resources with "Core" support:
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ - CORS
+ - ExternalAuth
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
+ - message: filter.externalAuth must be nil if the filter.type
+ is not ExternalAuth
+ rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
+ - message: filter.externalAuth must be specified for
+ ExternalAuth filter.type
+ rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
+ Defaults to "Service" when not specified.
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- maxItems: 32
- type: array
- x-kubernetes-validations:
- - message: sectionName or port must be specified when parentRefs includes
- 2 or more references to the same parent
- rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
- || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
- p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
- || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
- || p2.port == 0)): true))'
- - message: sectionName or port must be unique when parentRefs includes
- 2 or more references to the same parent
- rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
- || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
- == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
- p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
- || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
- == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
- == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
- == p2.port))))
- rules:
- default:
- - matches:
- - path:
- type: PathPrefix
- value: /
- description: Rules are a list of HTTP matchers, filters and actions.
- items:
- description: |-
- HTTPRouteRule defines semantics for matching an HTTP request based on
- conditions (matches), processing it (filters), and forwarding the request to
- an API object (backendRefs).
- properties:
- backendRefs:
- description: |-
- BackendRefs defines the backend(s) where matching requests should be
- sent.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
- Failure behavior here depends on how many BackendRefs are specified and
- how many are invalid.
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
- If *all* entries in BackendRefs are invalid, and there are also no filters
- specified in this route rule, *all* traffic which matches this rule MUST
- receive a 500 status code.
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
- See the HTTPBackendRef definition for the rules about what makes a single
- HTTPBackendRef invalid.
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
- When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
- requests that would have otherwise been routed to an invalid backend. If
- multiple backends are specified, and some are invalid, the proportion of
- requests that would otherwise have been routed to an invalid backend
- MUST receive a 500 status code.
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that cannot be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
- For example, if two backends are specified with equal weights, and one is
- invalid, 50 percent of traffic must receive a 500. Implementations may
- choose how that 50 percent is determined.
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
- When a HTTPBackendRef refers to a Service that has no ready endpoints,
- implementations SHOULD return a 503 for requests to that backend instead.
- If an implementation chooses to do this, all of the above rules for 500 responses
- MUST also apply for responses that return a 503.
+ Conformance-levels at this level are defined based on the type of filter:
- Support: Core for Kubernetes Service
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
- Support: Extended for Kubernetes ServiceImport
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
- Support: Implementation-specific for any other resource
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation cannot support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
- Support for weight: Core
+ Support: Core
items:
description: |-
- HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
- Note that when a namespace different than the local namespace is specified, a
- ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
+ When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+ response header with value true (case-sensitive).
- When the BackendRef points to a Kubernetes Service, implementations SHOULD
- honor the appProtocol field if it is set for the target Service Port.
+ When set to false or omitted the gateway will omit the header
+ `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+ behavior).
- Implementations supporting appProtocol SHOULD recognize the Kubernetes
- Standard Application Protocols defined in KEP-3726.
+ Support: Extended
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
- If a Service appProtocol isn't specified, an implementation MAY infer the
- backend protocol through its own means. Implementations MAY infer the
- protocol from the Route type referring to the backend Service.
+ Header names are not case sensitive.
- If a Route is not able to send traffic to the backend using the specified
- protocol then the backend is considered invalid. Implementations MUST set the
- "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
- properties:
- filters:
- description: |-
- Filters defined at this level should be executed if and only if the
- request is being forwarded to the backend defined here.
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
- Support: Implementation-specific (For broader support of filters, use the
- Filters field in HTTPRouteRule.)
- items:
- description: |-
- HTTPRouteFilter defines processing steps that must be completed during the
- request or response lifecycle. HTTPRouteFilters are meant as an extension
- point to express processing that may be done in Gateway implementations. Some
- examples include request or response modification, implementing
- authentication strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type of the filter.
- properties:
- cors:
- description: |-
- CORS defines a schema for a filter that responds to the
- cross-origin request based on HTTP response header.
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
- Support: Extended
- properties:
- allowCredentials:
- description: |-
- AllowCredentials indicates whether the actual cross-origin request allows
- to include credentials.
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
- The only valid value for the `Access-Control-Allow-Credentials` response
- header is true (case-sensitive).
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
+
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
+
+ When the `AllowCredentials` field is true and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
- If the credentials are not allowed in cross-origin requests, the gateway
- will omit the header `Access-Control-Allow-Credentials` entirely rather
- than setting its value to false.
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- Support: Extended
- enum:
- - true
- type: boolean
- allowHeaders:
- description: |-
- AllowHeaders indicates which HTTP request headers are supported for
- accessing the requested resource.
+ Valid values include:
- Header names are not case sensitive.
+ * "Authorization"
+ * "Set-Cookie"
- Multiple header names in the value of the `Access-Control-Allow-Headers`
- response header are separated by a comma (",").
+ Invalid values include:
- When the `AllowHeaders` field is configured with one or more headers, the
- gateway must return the `Access-Control-Allow-Headers` response header
- which value is present in the `AllowHeaders` field.
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
- If any header name in the `Access-Control-Request-Headers` request header
- is not included in the list of header names specified by the response
- header `Access-Control-Allow-Headers`, it will present an error on the
- client side.
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
- If any header name in the `Access-Control-Allow-Headers` response header
- does not recognize by the client, it will also occur an error on the
- client side.
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
- A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
- When the `AllowCredentials` field is specified and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
- HTTP headers in the value of the `Access-Control-Allow-Headers` response
- header. The value of the header `Access-Control-Allow-Headers` is same as
- the `Access-Control-Request-Headers` header provided by the client. If
- the header `Access-Control-Request-Headers` is not included in the
- request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
- Support: Extended
- items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
- Valid values include:
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
- * "Authorization"
- * "Set-Cookie"
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Invalid values include:
+ When the `AllowCredentials` field is true and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- allowMethods:
- description: |-
- AllowMethods indicates which HTTP methods are supported for accessing the
- requested resource.
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
- Valid values are any method defined by RFC9110, along with the special
- value `*`, which represents all HTTP methods are allowed.
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
- Method names are case sensitive, so these values are also case-sensitive.
- (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+ Valid values for scheme are: `http` and `https`.
- Multiple method names in the value of the `Access-Control-Allow-Methods`
- response header are separated by a comma (",").
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
- A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
- (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
- CORS-safelisted methods are always allowed, regardless of whether they
- are specified in the `AllowMethods` field.
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
- When the `AllowMethods` field is configured with one or more methods, the
- gateway must return the `Access-Control-Allow-Methods` response header
- which value is present in the `AllowMethods` field.
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
- If the HTTP method of the `Access-Control-Request-Method` request header
- is not included in the list of methods specified by the response header
- `Access-Control-Allow-Methods`, it will present an error on the client
- side.
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
- When the `AllowCredentials` field is specified and `AllowMethods` field
- specified with the `*` wildcard, the gateway must specify one HTTP method
- in the value of the Access-Control-Allow-Methods response header. The
- value of the header `Access-Control-Allow-Methods` is same as the
- `Access-Control-Request-Method` header provided by the client. If the
- header `Access-Control-Request-Method` is not included in the request,
- the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
- Support: Extended
- items:
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- - '*'
- type: string
- maxItems: 9
- type: array
- x-kubernetes-list-type: set
- x-kubernetes-validations:
- - message: AllowMethods cannot contain '*' alongside
- other methods
- rule: '!(''*'' in self && self.size() > 1)'
- allowOrigins:
- description: |-
- AllowOrigins indicates whether the response can be shared with requested
- resource from the given `Origin`.
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
- The `Origin` consists of a scheme and a host, with an optional port, and
- takes the form `://(:)`.
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Valid values for scheme are: `http` and `https`.
+ When the `AllowCredentials` field is true and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
- Valid values for port are any integer between 1 and 65535 (the list of
- available TCP/UDP ports). Note that, if not included, port `80` is
- assumed for `http` scheme origins, and port `443` is assumed for `https`
- origins. This may affect origin matching.
+ Support: Extended
+ items:
+ description: |-
+ The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The CORSOrigin MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ URIs that include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowOrigins cannot contain '*' alongside
+ other origins
+ rule: '!(''*'' in self && self.size() > 1)'
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
- The host part of the origin may contain the wildcard character `*`. These
- wildcard characters behave as follows:
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
- * `*` is a greedy match to the _left_, including any number of
- DNS labels to the left of its position. This also means that
- `*` will include any number of period `.` characters to the
- left of its position.
- * A wildcard by itself matches all hosts.
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
- An origin value that includes _only_ the `*` character indicates requests
- from all `Origin`s are allowed.
+ Header names are not case sensitive.
- When the `AllowOrigins` field is configured with multiple origins, it
- means the server supports clients from multiple origins. If the request
- `Origin` matches the configured allowed origins, the gateway must return
- the given `Origin` and sets value of the header
- `Access-Control-Allow-Origin` same as the `Origin` header provided by the
- client.
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
- The status code of a successful response to a "preflight" request is
- always an OK status (i.e., 204 or 200).
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
- If the request `Origin` does not match the configured allowed origins,
- the gateway returns 204/200 response but doesn't set the relevant
- cross-origin response headers. Alternatively, the gateway responds with
- 403 status to the "preflight" request is denied, coupled with omitting
- the CORS headers. The cross-origin request fails on the client side.
- Therefore, the client doesn't attempt the actual cross-origin request.
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Valid values include:
- When the `AllowCredentials` field is specified and `AllowOrigins` field
- specified with the `*` wildcard, the gateway must return a single origin
- in the value of the `Access-Control-Allow-Origin` response header,
- instead of specifying the `*` wildcard. The value of the header
- `Access-Control-Allow-Origin` is same as the `Origin` header provided by
- the client.
+ * "Authorization"
+ * "Set-Cookie"
- Support: Extended
- items:
- description: |-
- The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
- encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
- include an authority MUST include a fully qualified domain name or
- IP address as the host.
- maxLength: 253
- minLength: 1
- pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- exposeHeaders:
- description: |-
- ExposeHeaders indicates which HTTP response headers can be exposed
- to client-side scripts in response to a cross-origin request.
+ Invalid values include:
- A CORS-safelisted response header is an HTTP header in a CORS response
- that it is considered safe to expose to the client scripts.
- The CORS-safelisted response headers include the following headers:
- `Cache-Control`
- `Content-Language`
- `Content-Length`
- `Content-Type`
- `Expires`
- `Last-Modified`
- `Pragma`
- (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
- The CORS-safelisted response headers are exposed to client by default.
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
- When an HTTP header name is specified using the `ExposeHeaders` field,
- this additional header will be exposed as part of the response to the
- client.
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
- Header names are not case sensitive.
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
- Multiple header names in the value of the `Access-Control-Expose-Headers`
- response header are separated by a comma (",").
+ This filter can be used multiple times within the same rule.
- A wildcard indicates that the responses with all HTTP headers are exposed
- to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is
- unspecified.
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ externalAuth:
+ description: |-
+ ExternalAuth configures settings related to sending request details
+ to an external auth service. The external service MUST authenticate
+ the request, and MAY authorize the request as well.
- Support: Extended
- items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ If there is any problem communicating with the external service,
+ this filter MUST fail closed.
- Valid values include:
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef is a reference to a backend to send authorization
+ requests to.
- * "Authorization"
- * "Set-Cookie"
+ The backend must speak the selected protocol (GRPC or HTTP) on the
+ referenced port.
- Invalid values include:
+ If the backend service requires TLS, use BackendTLSPolicy to tell the
+ implementation to supply the TLS details to be used to connect to that
+ backend.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- maxAge:
- default: 5
- description: |-
- MaxAge indicates the duration (in seconds) for the client to cache the
- results of a "preflight" request.
+ Defaults to "Service" when not specified.
- The information provided by the `Access-Control-Allow-Methods` and
- `Access-Control-Allow-Headers` response headers can be cached by the
- client until the time specified by `Access-Control-Max-Age` elapses.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- The default value of `Access-Control-Max-Age` response header is 5
- (seconds).
- format: int32
- minimum: 1
- type: integer
- type: object
- extensionRef:
- description: |-
- ExtensionRef is an optional, implementation-specific extension to the
- "filter" behavior. For example, resource "myroutefilter" in group
- "networking.example.net"). ExtensionRef MUST NOT be used for core and
- extended filters.
+ Support: Core (Services with a type other than ExternalName)
- This filter can be used multiple times within the same rule.
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- Support: Implementation-specific
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For
- example "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- requestHeaderModifier:
- description: |-
- RequestHeaderModifier defines a schema for a filter that modifies request
- headers.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Support: Core
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ forwardBody:
+ description: |-
+ ForwardBody controls if requests to the authorization server should include
+ the body of the client request; and if so, how big that body is allowed
+ to be.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ It is expected that implementations will buffer the request body up to
+ `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+ 4xx series error (413 or 403 are common examples), and fail processing
+ of the filter.
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+ be forwarded.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Feature Name: HTTPRouteExternalAuthForwardBody
+ properties:
+ maxSize:
+ description: |-
+ MaxSize specifies how large in bytes the largest body that will be buffered
+ and sent to the authorization server. If the body size is larger than
+ `maxSize`, then the body sent to the authorization server must be
+ truncated to `maxSize` bytes.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Experimental note: This behavior needs to be checked against
+ various dataplanes; it may need to be changed.
+ See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+ for more.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ If 0, the body will not be sent to the authorization server.
+ type: integer
+ type: object
+ grpc:
+ description: |-
+ GRPCAuthConfig contains configuration for communication with ext_authz
+ protocol-speaking backends.
- Config:
- remove: ["my-header1", "my-header3"]
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what headers from the client request
+ will be sent to the authorization server.
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ If this list is empty, then all headers must be sent.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ If the list has entries, only those entries must be sent.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ http:
+ description: |-
+ HTTPAuthConfig contains configuration for communication with HTTP-speaking
+ backends.
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what additional headers from the client request
+ will be sent to the authorization server.
+
+ The following headers must always be sent to the authorization server,
+ regardless of this setting:
+
+ * `Host`
+ * `Method`
+ * `Path`
+ * `Content-Length`
+ * `Authorization`
+
+ If this list is empty, then only those headers must be sent.
+
+ Note that `Content-Length` has a special behavior, in that the length
+ sent must be correct for the actual request to the external authorization
+ server - that is, it must reflect the actual number of bytes sent in the
+ body of the request to the authorization server.
+
+ So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+ to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+ to anything other than `0`, then the `Content-Length` of the authorization
+ request must be set to the actual number of bytes forwarded.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ allowedResponseHeaders:
+ description: |-
+ AllowedResponseHeaders specifies what headers from the authorization response
+ will be copied into the request to the backend.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ If this list is empty, then all headers from the authorization server
+ except Authority or Host must be copied.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ path:
+ description: |-
+ Path sets the prefix that paths from the client request will have added
+ when forwarded to the authorization server.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- requestMirror:
- description: |-
- RequestMirror defines a schema for a filter that mirrors requests.
- Requests are sent to the specified destination, but responses from
- that destination are ignored.
+ When empty or unspecified, no prefix is added.
- This filter can be used multiple times within the same rule. Note that
- not all implementations will be able to support mirroring to multiple
- backends.
+ Valid values are the same as the "value" regex for path values in the `match`
+ stanza, and the validation regex will screen out invalid paths in the same way.
+ Even with the validation, implementations MUST sanitize this input before using it
+ directly.
+ maxLength: 1024
+ pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$
+ type: string
+ type: object
+ protocol:
+ description: |-
+ ExternalAuthProtocol describes which protocol to use when communicating with an
+ ext_authz authorization server.
- Support: Extended
- properties:
- backendRef:
- description: |-
- BackendRef references a resource where mirrored requests are sent.
+ When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+ on the port specified in `backendRefs`. Requests and responses are defined
+ in the protobufs explained at:
+ https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
- Mirrored requests must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many endpoints are present
- within this BackendRef.
+ When this is set to HTTP, each backend must respond with a `200` status
+ code in on a successful authorization. Any other code is considered
+ an authorization failure.
- If the referent cannot be found, this BackendRef is invalid and must be
- dropped from the Gateway. The controller must ensure the "ResolvedRefs"
- condition on the Route status is set to `status: False` and not configure
- this backend in the underlying implementation.
+ Feature Names:
+ GRPC Support - HTTPRouteExternalAuthGRPC
+ HTTP Support - HTTPRouteExternalAuthHTTP
+ enum:
+ - HTTP
+ - GRPC
+ type: string
+ required:
+ - backendRef
+ - protocol
+ type: object
+ x-kubernetes-validations:
+ - message: grpc must be specified when protocol is set
+ to 'GRPC'
+ rule: 'self.protocol == ''GRPC'' ? has(self.grpc) :
+ true'
+ - message: protocol must be 'GRPC' when grpc is set
+ rule: 'has(self.grpc) ? self.protocol == ''GRPC'' :
+ true'
+ - message: http must be specified when protocol is set
+ to 'HTTP'
+ rule: 'self.protocol == ''HTTP'' ? has(self.http) :
+ true'
+ - message: protocol must be 'HTTP' when http is set
+ rule: 'has(self.http) ? self.protocol == ''HTTP'' :
+ true'
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
- If there is a cross-namespace reference to an *existing* object
- that is not allowed by a ReferenceGrant, the controller must ensure the
- "ResolvedRefs" condition on the Route is set to `status: False`,
- with the "RefNotPermitted" reason and not configure this backend in the
- underlying implementation.
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
- In either error case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about the problem.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Support: Extended for Kubernetes Service
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- Support: Implementation-specific for any other resource
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Defaults to "Service" when not specified.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- Support: Core (Services with a type other than ExternalName)
+ Config:
+ remove: ["my-header1", "my-header3"]
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind
- == ''Service'') ? has(self.port) : true'
- fraction:
- description: |-
- Fraction represents the fraction of requests that should be
- mirrored to BackendRef.
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- properties:
- denominator:
- default: 100
- format: int32
- minimum: 1
- type: integer
- numerator:
- format: int32
- minimum: 0
- type: integer
- required:
- - numerator
- type: object
- x-kubernetes-validations:
- - message: numerator must be less than or equal
- to denominator
- rule: self.numerator <= self.denominator
- percent:
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
description: |-
- Percent represents the percentage of requests that should be
- mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
- requests) and its maximum value is 100 (indicating 100% of requests).
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
required:
- - backendRef
+ - name
+ - value
type: object
- x-kubernetes-validations:
- - message: Only one of percent or fraction may be
- specified in HTTPRequestMirrorFilter
- rule: '!(has(self.percent) && has(self.fraction))'
- requestRedirect:
- description: |-
- RequestRedirect defines a schema for a filter that responds to the
- request with an HTTP redirection.
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |-
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
- Support: Core
- properties:
- hostname:
- description: |-
- Hostname is the hostname to be used in the value of the `Location`
- header in the response.
- When empty, the hostname in the `Host` header of the request is used.
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines parameters used to modify the path of the incoming request.
- The modified path is then used to construct the `Location` header. When
- empty, the request path is used as-is.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified
- when type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ?
- has(self.replaceFullPath) : true'
- - message: type must be 'ReplaceFullPath' when
- replaceFullPath is set
- rule: 'has(self.replaceFullPath) ? self.type
- == ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified
- when type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch''
- ? has(self.replacePrefixMatch) : true'
- - message: type must be 'ReplacePrefixMatch'
- when replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- port:
- description: |-
- Port is the port to be used in the value of the `Location`
- header in the response.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ fraction:
+ description: |-
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
- If no port is specified, the redirect port MUST be derived using the
- following rules:
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to
+ denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |-
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
- * If redirect scheme is not-empty, the redirect port MUST be the well-known
- port associated with the redirect scheme. Specifically "http" to port 80
- and "https" to port 443. If the redirect scheme does not have a
- well-known port, the listener port of the Gateway SHOULD be used.
- * If redirect scheme is empty, the redirect port MUST be the Gateway
- Listener port.
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be specified
+ in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
- Implementations SHOULD NOT add the port number in the 'Location'
- header in the following cases:
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
- * A Location header that will use HTTP (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 80.
- * A Location header that will use HTTPS (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 443.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- scheme:
- description: |-
- Scheme is the scheme to be used in the value of the `Location` header in
- the response. When empty, the scheme of the request is used.
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- Scheme redirects can affect the port of the redirect, for more information,
- refer to the documentation for the port field of this filter.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- Support: Extended
- enum:
- - http
- - https
- type: string
- statusCode:
- default: 302
- description: |-
- StatusCode is the HTTP status code to be used in response.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
- Support: Core
- enum:
- - 301
- - 302
- type: integer
- type: object
- responseHeaderModifier:
- description: |-
- ResponseHeaderModifier defines a schema for a filter that modifies response
- headers.
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
- Support: Extended
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- Config:
- remove: ["my-header1", "my-header3"]
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type:
- description: |-
- Type identifies the type of filter to apply. As with other API fields,
- types are classified into three conformance levels:
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- - Core: Filter types and their corresponding configuration defined by
- "Support: Core" in this package, e.g. "RequestHeaderModifier". All
- implementations must support core filters.
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- - Extended: Filter types and their corresponding configuration defined by
- "Support: Extended" in this package, e.g. "RequestMirror". Implementers
- are encouraged to support extended filters.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- - Implementation-specific: Filters that are defined and supported by
- specific vendors.
- In the future, filters showing convergence in behavior across multiple
- implementations will be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type` should be set to
- "ExtensionRef" for custom filters.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- Implementers are encouraged to define custom implementation types to
- extend the core API with implementation-specific behavior.
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- If a reference to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have been processed by
- that filter MUST receive a HTTP error response.
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - RequestHeaderModifier
- - ResponseHeaderModifier
- - RequestMirror
- - RequestRedirect
- - URLRewrite
- - ExtensionRef
- - CORS
- type: string
- urlRewrite:
- description: |-
- URLRewrite defines a schema for a filter that modifies a request during forwarding.
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- Support: Extended
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
properties:
- hostname:
+ name:
description: |-
- Hostname is the value to be used to replace the Host header value during
- forwarding.
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Support: Extended
- maxLength: 253
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
- path:
- description: |-
- Path defines a path rewrite.
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified
- when type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ?
- has(self.replaceFullPath) : true'
- - message: type must be 'ReplaceFullPath' when
- replaceFullPath is set
- rule: 'has(self.replaceFullPath) ? self.type
- == ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified
- when type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch''
- ? has(self.replacePrefixMatch) : true'
- - message: type must be 'ReplacePrefixMatch'
- when replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- type: object
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: filter.requestHeaderModifier must be nil
- if the filter.type is not RequestHeaderModifier
- rule: '!(has(self.requestHeaderModifier) && self.type
- != ''RequestHeaderModifier'')'
- - message: filter.requestHeaderModifier must be specified
- for RequestHeaderModifier filter.type
- rule: '!(!has(self.requestHeaderModifier) && self.type
- == ''RequestHeaderModifier'')'
- - message: filter.responseHeaderModifier must be nil
- if the filter.type is not ResponseHeaderModifier
- rule: '!(has(self.responseHeaderModifier) && self.type
- != ''ResponseHeaderModifier'')'
- - message: filter.responseHeaderModifier must be specified
- for ResponseHeaderModifier filter.type
- rule: '!(!has(self.responseHeaderModifier) && self.type
- == ''ResponseHeaderModifier'')'
- - message: filter.requestMirror must be nil if the filter.type
- is not RequestMirror
- rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
- - message: filter.requestMirror must be specified for
- RequestMirror filter.type
- rule: '!(!has(self.requestMirror) && self.type ==
- ''RequestMirror'')'
- - message: filter.requestRedirect must be nil if the
- filter.type is not RequestRedirect
- rule: '!(has(self.requestRedirect) && self.type !=
- ''RequestRedirect'')'
- - message: filter.requestRedirect must be specified
- for RequestRedirect filter.type
- rule: '!(!has(self.requestRedirect) && self.type ==
- ''RequestRedirect'')'
- - message: filter.urlRewrite must be nil if the filter.type
- is not URLRewrite
- rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
- - message: filter.urlRewrite must be specified for URLRewrite
- filter.type
- rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
- - message: filter.extensionRef must be nil if the filter.type
- is not ExtensionRef
- rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
- - message: filter.extensionRef must be specified for
- ExtensionRef filter.type
- rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type
- is not CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: May specify either httpRouteFilterRequestRedirect
- or httpRouteFilterRequestRewrite, but not both
- rule: '!(self.exists(f, f.type == ''RequestRedirect'')
- && self.exists(f, f.type == ''URLRewrite''))'
- - message: May specify either httpRouteFilterRequestRedirect
- or httpRouteFilterRequestRewrite, but not both
- rule: '!(self.exists(f, f.type == ''RequestRedirect'')
- && self.exists(f, f.type == ''URLRewrite''))'
- - message: RequestHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
- <= 1
- - message: ResponseHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
- <= 1
- - message: RequestRedirect filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestRedirect').size()
- <= 1
- - message: URLRewrite filter cannot be repeated
- rule: self.filter(f, f.type == 'URLRewrite').size()
- <= 1
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ - CORS
+ - ExternalAuth
type: string
- kind:
- default: Service
+ urlRewrite:
description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
- Defaults to "Service" when not specified.
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines a path rewrite.
- Support: Core (Services with a type other than ExternalName)
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- description: |-
- Weight specifies the proportion of requests forwarded to the referenced
- backend. This is computed as weight/(sum of all weights in this
- BackendRefs list). For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision an
- implementation supports. Weight is not a percentage and the sum of
- weights does not need to equal 100.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- If only one backend is specified and it has a weight greater than 0, 100%
- of the traffic is forwarded to that backend. If weight is set to 0, no
- traffic should be forwarded for this entry. If unspecified, weight
- defaults to 1.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Support for this field varies based on the context where used.
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
required:
- - name
+ - type
type: object
x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
+ - message: filter.externalAuth must be nil if the filter.type
+ is not ExternalAuth
+ rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
+ - message: filter.externalAuth must be specified for ExternalAuth
+ filter.type
+ rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')'
maxItems: 16
type: array
- filters:
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
description: |-
- Filters define the filters that are applied to requests that match
- this rule.
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
- Wherever possible, implementations SHOULD implement filters in the order
- they are specified.
+ For example, take the following matches configuration:
- Implementations MAY choose to implement this ordering strictly, rejecting
- any combination or order of filters that cannot be supported. If implementations
- choose a strict interpretation of filter ordering, they MUST clearly document
- that behavior.
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
- To reject an invalid combination or order of filters, implementations SHOULD
- consider the Route Rules with this configuration invalid. If all Route Rules
- in a Route are invalid, the entire Route would be considered invalid. If only
- a portion of Route Rules are invalid, implementations MUST set the
- "PartiallyInvalid" condition for the Route.
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
- Conformance-levels at this level are defined based on the type of filter:
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
- - ALL core filters MUST be supported by all implementations.
- - Implementers are encouraged to support extended filters.
- - Implementation-specific custom filters have no API guarantees across
- implementations.
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
- Specifying the same filter multiple times is not supported unless explicitly
- indicated in the filter.
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
- All filters are expected to be compatible with each other except for the
- URLRewrite and RequestRedirect filters, which may not be combined. If an
- implementation cannot support other combinations of filters, they must clearly
- document that limitation. In cases where incompatible or unsupported
- filters are specified and cause the `Accepted` condition to be set to status
- `False`, implementations may use the `IncompatibleFilters` reason to specify
- this configuration error.
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
- Support: Core
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
items:
- description: |-
- HTTPRouteFilter defines processing steps that must be completed during the
- request or response lifecycle. HTTPRouteFilters are meant as an extension
- point to express processing that may be done in Gateway implementations. Some
- examples include request or response modification, implementing
- authentication strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type of the filter.
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
properties:
- cors:
+ headers:
description: |-
- CORS defines a schema for a filter that responds to the
- cross-origin request based on HTTP response header.
-
- Support: Extended
- properties:
- allowCredentials:
- description: |-
- AllowCredentials indicates whether the actual cross-origin request allows
- to include credentials.
-
- The only valid value for the `Access-Control-Allow-Credentials` response
- header is true (case-sensitive).
-
- If the credentials are not allowed in cross-origin requests, the gateway
- will omit the header `Access-Control-Allow-Credentials` entirely rather
- than setting its value to false.
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Support: Extended
- enum:
- - true
- type: boolean
- allowHeaders:
- description: |-
- AllowHeaders indicates which HTTP request headers are supported for
- accessing the requested resource.
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
- Header names are not case sensitive.
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
- Multiple header names in the value of the `Access-Control-Allow-Headers`
- response header are separated by a comma (",").
+ Support: Core (Exact)
- When the `AllowHeaders` field is configured with one or more headers, the
- gateway must return the `Access-Control-Allow-Headers` response header
- which value is present in the `AllowHeaders` field.
+ Support: Implementation-specific (RegularExpression)
- If any header name in the `Access-Control-Request-Headers` request header
- is not included in the list of header names specified by the response
- header `Access-Control-Allow-Headers`, it will present an error on the
- client side.
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
- If any header name in the `Access-Control-Allow-Headers` response header
- does not recognize by the client, it will also occur an error on the
- client side.
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
+ properties:
+ type:
+ default: PathPrefix
+ description: |-
+ Type specifies how to match against the path Value.
- A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Support: Core (Exact, PathPrefix)
- When the `AllowCredentials` field is specified and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
- HTTP headers in the value of the `Access-Control-Allow-Headers` response
- header. The value of the header `Access-Control-Allow-Headers` is same as
- the `Access-Control-Request-Headers` header provided by the client. If
- the header `Access-Control-Request-Headers` is not included in the
- request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
- Support: Extended
- items:
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
description: |-
- HTTPHeaderName is the name of an HTTP header.
-
- Valid values include:
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
- * "Authorization"
- * "Set-Cookie"
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
- Invalid values include:
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- allowMethods:
- description: |-
- AllowMethods indicates which HTTP methods are supported for accessing the
- requested resource.
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
- Valid values are any method defined by RFC9110, along with the special
- value `*`, which represents all HTTP methods are allowed.
+ Support: Extended (Exact)
- Method names are case sensitive, so these values are also case-sensitive.
- (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+ Support: Implementation-specific (RegularExpression)
- Multiple method names in the value of the `Access-Control-Allow-Methods`
- response header are separated by a comma (",").
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
- A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
- (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
- CORS-safelisted methods are always allowed, regardless of whether they
- are specified in the `AllowMethods` field.
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ retry:
+ description: |-
+ Retry defines the configuration for when to retry an HTTP request.
- When the `AllowMethods` field is configured with one or more methods, the
- gateway must return the `Access-Control-Allow-Methods` response header
- which value is present in the `AllowMethods` field.
+ Support: Extended
+ properties:
+ attempts:
+ description: |-
+ Attempts specifies the maximum number of times an individual request
+ from the gateway to a backend should be retried.
- If the HTTP method of the `Access-Control-Request-Method` request header
- is not included in the list of methods specified by the response header
- `Access-Control-Allow-Methods`, it will present an error on the client
- side.
+ If the maximum number of retries has been attempted without a successful
+ response from the backend, the Gateway MUST return an error.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ When this field is unspecified, the number of times to attempt to retry
+ a backend request is implementation-specific.
- When the `AllowCredentials` field is specified and `AllowMethods` field
- specified with the `*` wildcard, the gateway must specify one HTTP method
- in the value of the Access-Control-Allow-Methods response header. The
- value of the header `Access-Control-Allow-Methods` is same as the
- `Access-Control-Request-Method` header provided by the client. If the
- header `Access-Control-Request-Method` is not included in the request,
- the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ Support: Extended
+ type: integer
+ backoff:
+ description: |-
+ Backoff specifies the minimum duration a Gateway should wait between
+ retry attempts and is represented in Gateway API Duration formatting.
- Support: Extended
- items:
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- - '*'
- type: string
- maxItems: 9
- type: array
- x-kubernetes-list-type: set
- x-kubernetes-validations:
- - message: AllowMethods cannot contain '*' alongside
- other methods
- rule: '!(''*'' in self && self.size() > 1)'
- allowOrigins:
- description: |-
- AllowOrigins indicates whether the response can be shared with requested
- resource from the given `Origin`.
+ For example, setting the `rules[].retry.backoff` field to the value
+ `100ms` will cause a backend request to first be retried approximately
+ 100 milliseconds after timing out or receiving a response code configured
+ to be retryable.
- The `Origin` consists of a scheme and a host, with an optional port, and
- takes the form `://(:)`.
+ An implementation MAY use an exponential or alternative backoff strategy
+ for subsequent retry attempts, MAY cap the maximum backoff duration to
+ some amount greater than the specified minimum, and MAY add arbitrary
+ jitter to stagger requests, as long as unsuccessful backend requests are
+ not retried before the configured minimum duration.
- Valid values for scheme are: `http` and `https`.
+ If a Request timeout (`rules[].timeouts.request`) is configured on the
+ route, the entire duration of the initial request and any retry attempts
+ MUST not exceed the Request timeout duration. If any retry attempts are
+ still in progress when the Request timeout duration has been reached,
+ these SHOULD be canceled if possible and the Gateway MUST immediately
+ return a timeout error.
- Valid values for port are any integer between 1 and 65535 (the list of
- available TCP/UDP ports). Note that, if not included, port `80` is
- assumed for `http` scheme origins, and port `443` is assumed for `https`
- origins. This may affect origin matching.
+ If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+ configured on the route, any retry attempts which reach the configured
+ BackendRequest timeout duration without a response SHOULD be canceled if
+ possible and the Gateway should wait for at least the specified backoff
+ duration before attempting to retry the backend request again.
- The host part of the origin may contain the wildcard character `*`. These
- wildcard characters behave as follows:
+ If a BackendRequest timeout is _not_ configured on the route, retry
+ attempts MAY time out after an implementation default duration, or MAY
+ remain pending until a configured Request timeout or implementation
+ default duration for total request time is reached.
- * `*` is a greedy match to the _left_, including any number of
- DNS labels to the left of its position. This also means that
- `*` will include any number of period `.` characters to the
- left of its position.
- * A wildcard by itself matches all hosts.
+ When this field is unspecified, the time to wait between retry attempts
+ is implementation-specific.
- An origin value that includes _only_ the `*` character indicates requests
- from all `Origin`s are allowed.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ codes:
+ description: |-
+ Codes defines the HTTP response status codes for which a backend request
+ should be retried.
- When the `AllowOrigins` field is configured with multiple origins, it
- means the server supports clients from multiple origins. If the request
- `Origin` matches the configured allowed origins, the gateway must return
- the given `Origin` and sets value of the header
- `Access-Control-Allow-Origin` same as the `Origin` header provided by the
- client.
+ Support: Extended
+ items:
+ description: |-
+ HTTPRouteRetryStatusCode defines an HTTP response status code for
+ which a backend request should be retried.
- The status code of a successful response to a "preflight" request is
- always an OK status (i.e., 204 or 200).
+ Implementations MUST support the following status codes as retryable:
- If the request `Origin` does not match the configured allowed origins,
- the gateway returns 204/200 response but doesn't set the relevant
- cross-origin response headers. Alternatively, the gateway responds with
- 403 status to the "preflight" request is denied, coupled with omitting
- the CORS headers. The cross-origin request fails on the client side.
- Therefore, the client doesn't attempt the actual cross-origin request.
+ * 500
+ * 502
+ * 503
+ * 504
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Implementations MAY support specifying additional discrete values in the
+ 500-599 range.
- When the `AllowCredentials` field is specified and `AllowOrigins` field
- specified with the `*` wildcard, the gateway must return a single origin
- in the value of the `Access-Control-Allow-Origin` response header,
- instead of specifying the `*` wildcard. The value of the header
- `Access-Control-Allow-Origin` is same as the `Origin` header provided by
- the client.
+ Implementations MAY support specifying discrete values in the 400-499 range,
+ which are often inadvisable to retry.
+ maximum: 599
+ minimum: 400
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ sessionPersistence:
+ description: |-
+ SessionPersistence defines and configures session persistence
+ for the route rule.
- Support: Extended
- items:
- description: |-
- The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
- encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
- include an authority MUST include a fully qualified domain name or
- IP address as the host.
- maxLength: 253
- minLength: 1
- pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- exposeHeaders:
- description: |-
- ExposeHeaders indicates which HTTP response headers can be exposed
- to client-side scripts in response to a cross-origin request.
+ Support: Extended
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
+
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
- A CORS-safelisted response header is an HTTP header in a CORS response
- that it is considered safe to expose to the client scripts.
- The CORS-safelisted response headers include the following headers:
- `Cache-Control`
- `Content-Language`
- `Content-Length`
- `Content-Type`
- `Expires`
- `Last-Modified`
- `Pragma`
- (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
- The CORS-safelisted response headers are exposed to client by default.
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
- When an HTTP header name is specified using the `ExposeHeaders` field,
- this additional header will be exposed as part of the response to the
- client.
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
- Header names are not case sensitive.
+ Defaults to "Session".
- Multiple header names in the value of the `Access-Control-Expose-Headers`
- response header are separated by a comma (",").
+ Support: Core for "Session" type
- A wildcard indicates that the responses with all HTTP headers are exposed
- to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is
- unspecified.
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
- Support: Extended
- items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
- Valid values include:
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
- * "Authorization"
- * "Set-Cookie"
+ Support: Core for "Cookie" type
- Invalid values include:
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- maxAge:
- default: 5
- description: |-
- MaxAge indicates the duration (in seconds) for the client to cache the
- results of a "preflight" request.
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
- The information provided by the `Access-Control-Allow-Methods` and
- `Access-Control-Allow-Headers` response headers can be cached by the
- client until the time specified by `Access-Control-Max-Age` elapses.
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
- The default value of `Access-Control-Max-Age` response header is 5
- (seconds).
- format: int32
- minimum: 1
- type: integer
- type: object
- extensionRef:
- description: |-
- ExtensionRef is an optional, implementation-specific extension to the
- "filter" behavior. For example, resource "myroutefilter" in group
- "networking.example.net"). ExtensionRef MUST NOT be used for core and
- extended filters.
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
- This filter can be used multiple times within the same rule.
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
- Support: Implementation-specific
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For example
- "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- requestHeaderModifier:
- description: |-
- RequestHeaderModifier defines a schema for a filter that modifies request
- headers.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
- Support: Core
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
- Config:
- remove: ["my-header1", "my-header3"]
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ * The Route refers to a nonexistent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Example: "example.net/gateway-controller".
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- requestMirror:
- description: |-
- RequestMirror defines a schema for a filter that mirrors requests.
- Requests are sent to the specified destination, but responses from
- that destination are ignored.
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
- This filter can be used multiple times within the same rule. Note that
- not all implementations will be able to support mirroring to multiple
- backends.
+ There are two kinds of parent resources with "Core" support:
- Support: Extended
- properties:
- backendRef:
- description: |-
- BackendRef references a resource where mirrored requests are sent.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Mirrored requests must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many endpoints are present
- within this BackendRef.
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
- If the referent cannot be found, this BackendRef is invalid and must be
- dropped from the Gateway. The controller must ensure the "ResolvedRefs"
- condition on the Route status is set to `status: False` and not configure
- this backend in the underlying implementation.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
- If there is a cross-namespace reference to an *existing* object
- that is not allowed by a ReferenceGrant, the controller must ensure the
- "ResolvedRefs" condition on the Route is set to `status: False`,
- with the "RefNotPermitted" reason and not configure this backend in the
- underlying implementation.
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
- In either error case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about the problem.
- Support: Extended for Kubernetes Service
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- Support: Implementation-specific for any other resource
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
- Defaults to "Service" when not specified.
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
- Support: Core (Services with a type other than ExternalName)
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- fraction:
- description: |-
- Fraction represents the fraction of requests that should be
- mirrored to BackendRef.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- properties:
- denominator:
- default: 100
- format: int32
- minimum: 1
- type: integer
- numerator:
- format: int32
- minimum: 0
- type: integer
- required:
- - numerator
- type: object
- x-kubernetes-validations:
- - message: numerator must be less than or equal to
- denominator
- rule: self.numerator <= self.denominator
- percent:
- description: |-
- Percent represents the percentage of requests that should be
- mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
- requests) and its maximum value is 100 (indicating 100% of requests).
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- required:
- - backendRef
- type: object
- x-kubernetes-validations:
- - message: Only one of percent or fraction may be specified
- in HTTPRequestMirrorFilter
- rule: '!(has(self.percent) && has(self.fraction))'
- requestRedirect:
- description: |-
- RequestRedirect defines a schema for a filter that responds to the
- request with an HTTP redirection.
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
- Support: Core
- properties:
- hostname:
- description: |-
- Hostname is the hostname to be used in the value of the `Location`
- header in the response.
- When empty, the hostname in the `Host` header of the request is used.
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines parameters used to modify the path of the incoming request.
- The modified path is then used to construct the `Location` header. When
- empty, the request path is used as-is.
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - conditions
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.hostnames
+ name: Hostnames
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRoute.
+ properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified when
- type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
- : true'
- - message: type must be 'ReplaceFullPath' when replaceFullPath
- is set
- rule: 'has(self.replaceFullPath) ? self.type ==
- ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified when
- type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
- : true'
- - message: type must be 'ReplacePrefixMatch' when
- replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- port:
- description: |-
- Port is the port to be used in the value of the `Location`
- header in the response.
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
- If no port is specified, the redirect port MUST be derived using the
- following rules:
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
- * If redirect scheme is not-empty, the redirect port MUST be the well-known
- port associated with the redirect scheme. Specifically "http" to port 80
- and "https" to port 443. If the redirect scheme does not have a
- well-known port, the listener port of the Gateway SHOULD be used.
- * If redirect scheme is empty, the redirect port MUST be the Gateway
- Listener port.
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
- Implementations SHOULD NOT add the port number in the 'Location'
- header in the following cases:
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
- * A Location header that will use HTTP (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 80.
- * A Location header that will use HTTPS (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 443.
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- scheme:
- description: |-
- Scheme is the scheme to be used in the value of the `Location` header in
- the response. When empty, the scheme of the request is used.
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
- Scheme redirects can affect the port of the redirect, for more information,
- refer to the documentation for the port field of this filter.
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ parentRefs:
+ description: |-
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
- Support: Extended
- enum:
- - http
- - https
- type: string
- statusCode:
- default: 302
- description: |-
- StatusCode is the HTTP status code to be used in response.
+ There are two kinds of parent resources with "Core" support:
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ This API may be extended in the future to support additional kinds of parent
+ resources.
- Support: Core
- enum:
- - 301
- - 302
- type: integer
- type: object
- responseHeaderModifier:
- description: |-
- ResponseHeaderModifier defines a schema for a filter that modifies response
- headers.
+ ParentRefs must be _distinct_. This means either that:
- Support: Extended
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Some examples:
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
- Config:
- remove: ["my-header1", "my-header3"]
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ This API may be extended in the future to support additional kinds of parent
+ resources.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type:
- description: |-
- Type identifies the type of filter to apply. As with other API fields,
- types are classified into three conformance levels:
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
- - Core: Filter types and their corresponding configuration defined by
- "Support: Core" in this package, e.g. "RequestHeaderModifier". All
- implementations must support core filters.
+ There are two kinds of parent resources with "Core" support:
- - Extended: Filter types and their corresponding configuration defined by
- "Support: Extended" in this package, e.g. "RequestMirror". Implementers
- are encouraged to support extended filters.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- - Implementation-specific: Filters that are defined and supported by
- specific vendors.
- In the future, filters showing convergence in behavior across multiple
- implementations will be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type` should be set to
- "ExtensionRef" for custom filters.
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
- Implementers are encouraged to define custom implementation types to
- extend the core API with implementation-specific behavior.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
- If a reference to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have been processed by
- that filter MUST receive a HTTP error response.
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - RequestHeaderModifier
- - ResponseHeaderModifier
- - RequestMirror
- - RequestRedirect
- - URLRewrite
- - ExtensionRef
- - CORS
- type: string
- urlRewrite:
- description: |-
- URLRewrite defines a schema for a filter that modifies a request during forwarding.
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- Support: Extended
- properties:
- hostname:
- description: |-
- Hostname is the value to be used to replace the Host header value during
- forwarding.
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
- Support: Extended
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines a path rewrite.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified when
- type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
- : true'
- - message: type must be 'ReplaceFullPath' when replaceFullPath
- is set
- rule: 'has(self.replaceFullPath) ? self.type ==
- ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified when
- type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
- : true'
- - message: type must be 'ReplacePrefixMatch' when
- replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- type: object
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: filter.requestHeaderModifier must be nil if the
- filter.type is not RequestHeaderModifier
- rule: '!(has(self.requestHeaderModifier) && self.type !=
- ''RequestHeaderModifier'')'
- - message: filter.requestHeaderModifier must be specified
- for RequestHeaderModifier filter.type
- rule: '!(!has(self.requestHeaderModifier) && self.type ==
- ''RequestHeaderModifier'')'
- - message: filter.responseHeaderModifier must be nil if the
- filter.type is not ResponseHeaderModifier
- rule: '!(has(self.responseHeaderModifier) && self.type !=
- ''ResponseHeaderModifier'')'
- - message: filter.responseHeaderModifier must be specified
- for ResponseHeaderModifier filter.type
- rule: '!(!has(self.responseHeaderModifier) && self.type
- == ''ResponseHeaderModifier'')'
- - message: filter.requestMirror must be nil if the filter.type
- is not RequestMirror
- rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
- - message: filter.requestMirror must be specified for RequestMirror
- filter.type
- rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
- - message: filter.requestRedirect must be nil if the filter.type
- is not RequestRedirect
- rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
- - message: filter.requestRedirect must be specified for RequestRedirect
- filter.type
- rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
- - message: filter.urlRewrite must be nil if the filter.type
- is not URLRewrite
- rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
- - message: filter.urlRewrite must be specified for URLRewrite
- filter.type
- rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
- - message: filter.extensionRef must be nil if the filter.type
- is not ExtensionRef
- rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
- - message: filter.extensionRef must be specified for ExtensionRef
- filter.type
- rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type is not
- CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: May specify either httpRouteFilterRequestRedirect
- or httpRouteFilterRequestRewrite, but not both
- rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
- self.exists(f, f.type == ''URLRewrite''))'
- - message: RequestHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
- <= 1
- - message: ResponseHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
- <= 1
- - message: RequestRedirect filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestRedirect').size() <=
- 1
- - message: URLRewrite filter cannot be repeated
- rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
- matches:
- default:
- - path:
- type: PathPrefix
- value: /
- description: |-
- Matches define conditions used for matching the rule against incoming
- HTTP requests. Each match is independent, i.e. this rule will be matched
- if **any** one of the matches is satisfied.
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
- For example, take the following matches configuration:
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
- ```
- matches:
- - path:
- value: "/foo"
- headers:
- - name: "version"
- value: "v2"
- - path:
- value: "/v2/foo"
- ```
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
- For a request to match against this rule, a request must satisfy
- EITHER of the two conditions:
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
- - path prefixed with `/foo` AND contains the header `version: v2`
- - path prefix of `/v2/foo`
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
- See the documentation for HTTPRouteMatch on how to specify multiple
- match conditions that should be ANDed together.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ default:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ description: Rules are a list of HTTP matchers, filters and actions.
+ items:
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
- If no matches are specified, the default is a prefix
- path match on "/", which has the effect of matching every
- HTTP request.
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
- Proxy or Load Balancer routing configuration generated from HTTPRoutes
- MUST prioritize matches based on the following criteria, continuing on
- ties. Across all rules specified on applicable Routes, precedence must be
- given to the match having:
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
- * "Exact" path match.
- * "Prefix" path match with largest number of characters.
- * Method match.
- * Largest number of header matches.
- * Largest number of query param matches.
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
- Note: The precedence of RegularExpression path matches are implementation-specific.
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
- If ties still exist across multiple Routes, matching precedence MUST be
- determined in order of the following criteria, continuing on ties:
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
- * The oldest Route based on creation timestamp.
- * The Route appearing first in alphabetical order by
- "{namespace}/{name}".
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
- If ties still exist within an HTTPRoute, matching precedence MUST be granted
- to the FIRST matching rule (in list order) with a match meeting the above
- criteria.
+ Support: Core for Kubernetes Service
- When no rules matching a request have been successfully attached to the
- parent a request is coming from, a HTTP 404 status code MUST be returned.
- items:
- description: "HTTPRouteMatch defines the predicate used to
- match requests to a given\naction. Multiple match types
- are ANDed together, i.e. the match will\nevaluate to true
- only if all conditions are satisfied.\n\nFor example, the
- match below will match a HTTP request only if its path\nstarts
- with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
- \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
- \ value \"v1\"\n\n```"
- properties:
- headers:
- description: |-
- Headers specifies HTTP request header matchers. Multiple match values are
- ANDed together, meaning, a request must match all the specified headers
- to select the route.
- items:
- description: |-
- HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
- headers.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Support: Extended for Kubernetes ServiceImport
- If multiple entries specify equivalent header names, only the first
- entry with an equivalent name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
+ Support: Implementation-specific for any other resource
- When a header is repeated in an HTTP request, it is
- implementation-specific behavior as to how this is represented.
- Generally, proxies should follow the guidance from the RFC:
- https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
- processing a repeated header, with special handling for "Set-Cookie".
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- description: |-
- Type specifies how to match against the value of the header.
+ Support for weight: Core
+ items:
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
- Support: Core (Exact)
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Support: Implementation-specific (RegularExpression)
- Since RegularExpression HeaderMatchType has implementation-specific
- conformance, implementations can support POSIX, PCRE or any other dialects
- of regular expressions. Please read the implementation's documentation to
- determine the supported dialect.
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- description: Value is the value of HTTP Header to
- be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- method:
- description: |-
- Method specifies HTTP method matcher.
- When specified, this route will be matched only if the request has the
- specified method.
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
- Support: Extended
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- type: string
- path:
- default:
- type: PathPrefix
- value: /
- description: |-
- Path specifies a HTTP request path matcher. If this field is not
- specified, a default prefix match on the "/" path is provided.
- properties:
- type:
- default: PathPrefix
- description: |-
- Type specifies how to match against the path Value.
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
- Support: Core (Exact, PathPrefix)
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
- Support: Implementation-specific (RegularExpression)
- enum:
- - Exact
- - PathPrefix
- - RegularExpression
- type: string
- value:
- default: /
- description: Value of the HTTP path to match against.
- maxLength: 1024
- type: string
- type: object
- x-kubernetes-validations:
- - message: value must be an absolute path and start with
- '/' when type one of ['Exact', 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
- : true'
- - message: must not contain '//' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
- : true'
- - message: must not contain '/./' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
- : true'
- - message: must not contain '/../' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
- : true'
- - message: must not contain '%2f' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
- : true'
- - message: must not contain '%2F' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
- : true'
- - message: must not contain '#' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
- : true'
- - message: must not end with '/..' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
- : true'
- - message: must not end with '/.' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
- : true'
- - message: type must be one of ['Exact', 'PathPrefix',
- 'RegularExpression']
- rule: self.type in ['Exact','PathPrefix'] || self.type
- == 'RegularExpression'
- - message: must only contain valid characters (matching
- ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
- for types ['Exact', 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
- : true'
- queryParams:
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+ properties:
+ filters:
description: |-
- QueryParams specifies HTTP query parameter matchers. Multiple match
- values are ANDed together, meaning, a request must match all the
- specified query parameters to select the route.
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
- Support: Extended
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
items:
description: |-
- HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
- query parameters.
- properties:
- name:
- description: |-
- Name is the name of the HTTP query param to be matched. This must be an
- exact string match. (See
- https://tools.ietf.org/html/rfc7230#section-2.7.3).
-
- If multiple entries specify equivalent query param names, only the first
- entry with an equivalent name MUST be considered for a match. Subsequent
- entries with an equivalent query param name MUST be ignored.
-
- If a query param is repeated in an HTTP request, the behavior is
- purposely left undefined, since different data planes have different
- capabilities. However, it is *recommended* that implementations should
- match against the first value of the param if the data plane supports it,
- as this behavior is expected in other load balancing contexts outside of
- the Gateway API.
-
- Users SHOULD NOT route traffic based on repeated query params to guard
- themselves against potential differences in the implementations.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ cors:
description: |-
- Type specifies how to match against the value of the query parameter.
-
- Support: Extended (Exact)
-
- Support: Implementation-specific (RegularExpression)
-
- Since RegularExpression QueryParamMatchType has Implementation-specific
- conformance, implementations can support POSIX, PCRE or any other
- dialects of regular expressions. Please read the implementation's
- documentation to determine the supported dialect.
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- description: Value is the value of HTTP query param
- to be matched.
- maxLength: 1024
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- maxItems: 64
- type: array
- name:
- description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
- Support: Extended
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- retry:
- description: |-
- Retry defines the configuration for when to retry an HTTP request.
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
- Support: Extended
- properties:
- attempts:
- description: |-
- Attempts specifies the maximum number of times an individual request
- from the gateway to a backend should be retried.
+ When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+ response header with value true (case-sensitive).
- If the maximum number of retries has been attempted without a successful
- response from the backend, the Gateway MUST return an error.
+ When set to false or omitted the gateway will omit the header
+ `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+ behavior).
- When this field is unspecified, the number of times to attempt to retry
- a backend request is implementation-specific.
+ Support: Extended
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
- Support: Extended
- type: integer
- backoff:
- description: |-
- Backoff specifies the minimum duration a Gateway should wait between
- retry attempts and is represented in Gateway API Duration formatting.
+ Header names are not case sensitive.
- For example, setting the `rules[].retry.backoff` field to the value
- `100ms` will cause a backend request to first be retried approximately
- 100 milliseconds after timing out or receiving a response code configured
- to be retryable.
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
- An implementation MAY use an exponential or alternative backoff strategy
- for subsequent retry attempts, MAY cap the maximum backoff duration to
- some amount greater than the specified minimum, and MAY add arbitrary
- jitter to stagger requests, as long as unsuccessful backend requests are
- not retried before the configured minimum duration.
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
- If a Request timeout (`rules[].timeouts.request`) is configured on the
- route, the entire duration of the initial request and any retry attempts
- MUST not exceed the Request timeout duration. If any retry attempts are
- still in progress when the Request timeout duration has been reached,
- these SHOULD be canceled if possible and the Gateway MUST immediately
- return a timeout error.
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
- If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
- configured on the route, any retry attempts which reach the configured
- BackendRequest timeout duration without a response SHOULD be canceled if
- possible and the Gateway should wait for at least the specified backoff
- duration before attempting to retry the backend request again.
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
- If a BackendRequest timeout is _not_ configured on the route, retry
- attempts MAY time out after an implementation default duration, or MAY
- remain pending until a configured Request timeout or implementation
- default duration for total request time is reached.
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- When this field is unspecified, the time to wait between retry attempts
- is implementation-specific.
+ When the `AllowCredentials` field is true and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- codes:
- description: |-
- Codes defines the HTTP response status codes for which a backend request
- should be retried.
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- Support: Extended
- items:
- description: |-
- HTTPRouteRetryStatusCode defines an HTTP response status code for
- which a backend request should be retried.
+ Valid values include:
- Implementations MUST support the following status codes as retryable:
+ * "Authorization"
+ * "Set-Cookie"
- * 500
- * 502
- * 503
- * 504
+ Invalid values include:
- Implementations MAY support specifying additional discrete values in the
- 500-599 range.
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
- Implementations MAY support specifying discrete values in the 400-499 range,
- which are often inadvisable to retry.
- maximum: 599
- minimum: 400
- type: integer
- type: array
- type: object
- sessionPersistence:
- description: |-
- SessionPersistence defines and configures session persistence
- for the route rule.
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
- Support: Extended
- properties:
- absoluteTimeout:
- description: |-
- AbsoluteTimeout defines the absolute timeout of the persistent
- session. Once the AbsoluteTimeout duration has elapsed, the
- session becomes invalid.
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- cookieConfig:
- description: |-
- CookieConfig provides configuration settings that are specific
- to cookie-based session persistence.
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
- Support: Core
- properties:
- lifetimeType:
- default: Session
- description: |-
- LifetimeType specifies whether the cookie has a permanent or
- session-based lifetime. A permanent cookie persists until its
- specified expiry time, defined by the Expires or Max-Age cookie
- attributes, while a session cookie is deleted when the current
- session ends.
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
- When set to "Permanent", AbsoluteTimeout indicates the
- cookie's lifetime via the Expires or Max-Age cookie attributes
- and is required.
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
- When set to "Session", AbsoluteTimeout indicates the
- absolute lifetime of the cookie tracked by the gateway and
- is optional.
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
- Defaults to "Session".
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Support: Core for "Session" type
+ When the `AllowCredentials` field is true and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
- Support: Extended for "Permanent" type
- enum:
- - Permanent
- - Session
- type: string
- type: object
- idleTimeout:
- description: |-
- IdleTimeout defines the idle timeout of the persistent session.
- Once the session has been idle for more than the specified
- IdleTimeout duration, the session becomes invalid.
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- sessionName:
- description: |-
- SessionName defines the name of the persistent session token
- which may be reflected in the cookie or the header. Users
- should avoid reusing session names to prevent unintended
- consequences, such as rejection or unpredictable behavior.
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
- Support: Implementation-specific
- maxLength: 128
- type: string
- type:
- default: Cookie
- description: |-
- Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
- persistence.
+ Valid values for scheme are: `http` and `https`.
- Support: Core for "Cookie" type
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
- Support: Extended for "Header" type
- enum:
- - Cookie
- - Header
- type: string
- type: object
- x-kubernetes-validations:
- - message: AbsoluteTimeout must be specified when cookie lifetimeType
- is Permanent
- rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
- || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
- timeouts:
- description: |-
- Timeouts defines the timeouts that can be configured for an HTTP request.
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
- Support: Extended
- properties:
- backendRequest:
- description: |-
- BackendRequest specifies a timeout for an individual request from the gateway
- to a backend. This covers the time from when the request first starts being
- sent from the gateway to when the full response has been received from the backend.
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
- Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
- completely. Implementations that cannot completely disable the timeout MUST
- instead interpret the zero duration as the longest possible value to which
- the timeout can be set.
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
- An entire client HTTP transaction with a gateway, covered by the Request timeout,
- may result in more than one call from the gateway to the destination backend,
- for example, if automatic retries are supported.
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
- The value of BackendRequest must be a Gateway API Duration string as defined by
- GEP-2257. When this field is unspecified, its behavior is implementation-specific;
- when specified, the value of BackendRequest must be no more than the value of the
- Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- request:
- description: |-
- Request specifies the maximum duration for a gateway to respond to an HTTP request.
- If the gateway has not been able to respond before this deadline is met, the gateway
- MUST return a timeout error.
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
- For example, setting the `rules.timeouts.request` field to the value `10s` in an
- `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
- to complete.
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
- completely. Implementations that cannot completely disable the timeout MUST
- instead interpret the zero duration as the longest possible value to which
- the timeout can be set.
+ When the `AllowCredentials` field is true and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
- This timeout is intended to cover as close to the whole request-response transaction
- as possible although an implementation MAY choose to start the timeout after the entire
- request stream has been received instead of immediately after the transaction is
- initiated by the client.
+ Support: Extended
+ items:
+ description: |-
+ The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The CORSOrigin MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ URIs that include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowOrigins cannot contain '*' alongside
+ other origins
+ rule: '!(''*'' in self && self.size() > 1)'
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
- The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
- field is unspecified, request timeout behavior is implementation-specific.
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- type: object
- x-kubernetes-validations:
- - message: backendRequest timeout cannot be longer than request
- timeout
- rule: '!(has(self.request) && has(self.backendRequest) &&
- duration(self.request) != duration(''0s'') && duration(self.backendRequest)
- > duration(self.request))'
- type: object
- x-kubernetes-validations:
- - message: RequestRedirect filter must not be used together with
- backendRefs
- rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
- (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
- true'
- - message: When using RequestRedirect filter with path.replacePrefixMatch,
- exactly one PathPrefix match must be specified
- rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
- && has(f.requestRedirect.path) && f.requestRedirect.path.type
- == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
- ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
- self.matches[0].path.type != ''PathPrefix'') ? false : true)
- : true'
- - message: When using URLRewrite filter with path.replacePrefixMatch,
- exactly one PathPrefix match must be specified
- rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
- && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
- && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
- != 1 || !has(self.matches[0].path) || self.matches[0].path.type
- != ''PathPrefix'') ? false : true) : true'
- - message: Within backendRefs, when using RequestRedirect filter
- with path.replacePrefixMatch, exactly one PathPrefix match must
- be specified
- rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
- (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
- && has(f.requestRedirect.path) && f.requestRedirect.path.type
- == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
- )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
- || self.matches[0].path.type != ''PathPrefix'') ? false : true)
- : true'
- - message: Within backendRefs, When using URLRewrite filter with
- path.replacePrefixMatch, exactly one PathPrefix match must be
- specified
- rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
- (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
- && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
- && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
- != 1 || !has(self.matches[0].path) || self.matches[0].path.type
- != ''PathPrefix'') ? false : true) : true'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: While 16 rules and 64 matches per rule are allowed, the
- total number of matches across all rules in a route must be less
- than 128
- rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
- > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
- : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
- > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
- : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
- > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
- : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
- > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
- : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
- > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
- : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
- - message: Rule name must be unique within the route
- rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
- && l1.name == l2.name))
- type: object
- status:
- description: Status defines the current state of HTTPRoute.
- properties:
- parents:
- description: |-
- Parents is a list of parent resources (usually Gateways) that are
- associated with the route, and the status of the route with respect to
- each parent. When this route attaches to a parent, the controller that
- manages the parent must add an entry to this list when the controller
- first sees the route and should update the entry as appropriate when the
- route or gateway is modified.
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
- Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this API
- can only populate Route status for the Gateways/parent resources they are
- responsible for.
+ Header names are not case sensitive.
- A maximum of 32 Gateways will be represented in this list. An empty list
- means the route has not been attached to any Gateway.
- items:
- description: |-
- RouteParentStatus describes the status of a route with respect to an
- associated Parent.
- properties:
- conditions:
- description: |-
- Conditions describes the status of the route with respect to the Gateway.
- Note that the route's availability is also subject to the Gateway's own
- status conditions and listener status.
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
- If the Route's ParentRef specifies an existing Gateway that supports
- Routes of this kind AND that Gateway's controller has sufficient access,
- then that Gateway's controller MUST set the "Accepted" condition on the
- Route, to indicate whether the route has been accepted or rejected by the
- Gateway, and why.
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
- A Route MUST be considered "Accepted" if at least one of the Route's
- rules is implemented by the Gateway.
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- There are a number of cases where the "Accepted" condition may not be set
- due to lack of controller visibility, that includes when:
+ Valid values include:
- * The Route refers to a nonexistent parent.
- * The Route is of a type that the controller does not support.
- * The Route is in a namespace the controller does not have access to.
- items:
- description: Condition contains details for one aspect of
- the current state of this API Resource.
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False,
- Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- controllerName:
- description: |-
- ControllerName is a domain/path string that indicates the name of the
- controller that wrote this status. This corresponds with the
- controllerName field on GatewayClass.
+ * "Authorization"
+ * "Set-Cookie"
- Example: "example.net/gateway-controller".
+ Invalid values include:
- The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
- valid Kubernetes names
- (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
- Controllers MUST populate this field when writing status. Controllers should ensure that
- entries to status populated with their ControllerName are cleaned up when they are no
- longer necessary.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- parentRef:
- description: |-
- ParentRef corresponds with a ParentRef in the spec that this
- RouteParentStatus struct describes the status of.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
- There are two kinds of parent resources with "Core" support:
+ This filter can be used multiple times within the same rule.
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ externalAuth:
+ description: |-
+ ExternalAuth configures settings related to sending request details
+ to an external auth service. The external service MUST authenticate
+ the request, and MAY authorize the request as well.
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
+ If there is any problem communicating with the external service,
+ this filter MUST fail closed.
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef is a reference to a backend to send authorization
+ requests to.
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
+ The backend must speak the selected protocol (GRPC or HTTP) on the
+ referenced port.
+ If the backend service requires TLS, use BackendTLSPolicy to tell the
+ implementation to supply the TLS details to be used to connect to that
+ backend.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ Defaults to "Service" when not specified.
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ forwardBody:
+ description: |-
+ ForwardBody controls if requests to the authorization server should include
+ the body of the client request; and if so, how big that body is allowed
+ to be.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
+ It is expected that implementations will buffer the request body up to
+ `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+ 4xx series error (413 or 403 are common examples), and fail processing
+ of the filter.
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
+ If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+ be forwarded.
+ Feature Name: HTTPRouteExternalAuthForwardBody
+ properties:
+ maxSize:
+ description: |-
+ MaxSize specifies how large in bytes the largest body that will be buffered
+ and sent to the authorization server. If the body size is larger than
+ `maxSize`, then the body sent to the authorization server must be
+ truncated to `maxSize` bytes.
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
+ Experimental note: This behavior needs to be checked against
+ various dataplanes; it may need to be changed.
+ See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+ for more.
+ If 0, the body will not be sent to the authorization server.
+ type: integer
+ type: object
+ grpc:
+ description: |-
+ GRPCAuthConfig contains configuration for communication with ext_authz
+ protocol-speaking backends.
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what headers from the client request
+ will be sent to the authorization server.
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
+ If this list is empty, then all headers must be sent.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
+ If the list has entries, only those entries must be sent.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ http:
+ description: |-
+ HTTPAuthConfig contains configuration for communication with HTTP-speaking
+ backends.
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what additional headers from the client request
+ will be sent to the authorization server.
+
+ The following headers must always be sent to the authorization server,
+ regardless of this setting:
+
+ * `Host`
+ * `Method`
+ * `Path`
+ * `Content-Length`
+ * `Authorization`
+
+ If this list is empty, then only those headers must be sent.
+
+ Note that `Content-Length` has a special behavior, in that the length
+ sent must be correct for the actual request to the external authorization
+ server - that is, it must reflect the actual number of bytes sent in the
+ body of the request to the authorization server.
+
+ So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+ to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+ to anything other than `0`, then the `Content-Length` of the authorization
+ request must be set to the actual number of bytes forwarded.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ allowedResponseHeaders:
+ description: |-
+ AllowedResponseHeaders specifies what headers from the authorization response
+ will be copied into the request to the backend.
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
+ If this list is empty, then all headers from the authorization server
+ except Authority or Host must be copied.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ path:
+ description: |-
+ Path sets the prefix that paths from the client request will have added
+ when forwarded to the authorization server.
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
+ When empty or unspecified, no prefix is added.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- required:
- - controllerName
- - parentRef
- type: object
- maxItems: 32
- type: array
- required:
- - parents
- type: object
- required:
- - spec
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .spec.hostnames
- name: Hostnames
- type: string
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: |-
- HTTPRoute provides a way to route HTTP requests. This includes the capability
- to match requests by hostname, path, header, or query param. Filters can be
- used to specify additional processing steps. Backends specify where matching
- requests should be routed.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of HTTPRoute.
- properties:
- hostnames:
- description: |-
- Hostnames defines a set of hostnames that should match against the HTTP Host
- header to select a HTTPRoute used to process the request. Implementations
- MUST ignore any port value specified in the HTTP Host header while
- performing a match and (absent of any applicable header modification
- configuration) MUST forward this header unmodified to the backend.
+ Valid values are the same as the "value" regex for path values in the `match`
+ stanza, and the validation regex will screen out invalid paths in the same way.
+ Even with the validation, implementations MUST sanitize this input before using it
+ directly.
+ maxLength: 1024
+ pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$
+ type: string
+ type: object
+ protocol:
+ description: |-
+ ExternalAuthProtocol describes which protocol to use when communicating with an
+ ext_authz authorization server.
- Valid values for Hostnames are determined by RFC 1123 definition of a
- hostname with 2 notable exceptions:
+ When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+ on the port specified in `backendRefs`. Requests and responses are defined
+ in the protobufs explained at:
+ https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
- 1. IPs are not allowed.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
- label must appear by itself as the first label.
+ When this is set to HTTP, each backend must respond with a `200` status
+ code in on a successful authorization. Any other code is considered
+ an authorization failure.
- If a hostname is specified by both the Listener and HTTPRoute, there
- must be at least one intersecting hostname for the HTTPRoute to be
- attached to the Listener. For example:
+ Feature Names:
+ GRPC Support - HTTPRouteExternalAuthGRPC
+ HTTP Support - HTTPRouteExternalAuthHTTP
+ enum:
+ - HTTP
+ - GRPC
+ type: string
+ required:
+ - backendRef
+ - protocol
+ type: object
+ x-kubernetes-validations:
+ - message: grpc must be specified when protocol
+ is set to 'GRPC'
+ rule: 'self.protocol == ''GRPC'' ? has(self.grpc)
+ : true'
+ - message: protocol must be 'GRPC' when grpc is
+ set
+ rule: 'has(self.grpc) ? self.protocol == ''GRPC''
+ : true'
+ - message: http must be specified when protocol
+ is set to 'HTTP'
+ rule: 'self.protocol == ''HTTP'' ? has(self.http)
+ : true'
+ - message: protocol must be 'HTTP' when http is
+ set
+ rule: 'has(self.http) ? self.protocol == ''HTTP''
+ : true'
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
- * A Listener with `test.example.com` as the hostname matches HTTPRoutes
- that have either not specified any hostnames, or have specified at
- least one of `test.example.com` or `*.example.com`.
- * A Listener with `*.example.com` as the hostname matches HTTPRoutes
- that have either not specified any hostnames or have specified at least
- one hostname that matches the Listener hostname. For example,
- `*.example.com`, `test.example.com`, and `foo.test.example.com` would
- all match. On the other hand, `example.com` and `test.example.net` would
- not match.
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
- Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com` would match
- both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- If both the Listener and HTTPRoute have specified hostnames, any
- HTTPRoute hostnames that do not match the Listener hostname MUST be
- ignored. For example, if a Listener specified `*.example.com`, and the
- HTTPRoute specified `test.example.com` and `test.example.net`,
- `test.example.net` must not be considered for a match.
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- If both the Listener and HTTPRoute have specified hostnames, and none
- match with the criteria above, then the HTTPRoute is not accepted. The
- implementation must raise an 'Accepted' Condition with a status of
- `False` in the corresponding RouteParentStatus.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
- overlapping wildcard matching and exact matching hostnames), precedence must
- be given to rules from the HTTPRoute with the largest number of:
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- * Characters in a matching non-wildcard hostname.
- * Characters in a matching hostname.
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- If ties exist across multiple Routes, the matching precedence rules for
- HTTPRouteMatches takes over.
+ Config:
+ remove: ["my-header1", "my-header3"]
- Support: Core
- items:
- description: |-
- Hostname is the fully qualified domain name of a network host. This matches
- the RFC 1123 definition of a hostname with 2 notable exceptions:
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- 1. IPs are not allowed.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
- label must appear by itself as the first label.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Hostname can be "precise" which is a domain name without the terminating
- dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
- domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
- alphanumeric characters or '-', and must start and end with an alphanumeric
- character. No other punctuation is allowed.
- maxLength: 253
- minLength: 1
- pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- maxItems: 16
- type: array
- parentRefs:
- description: |-
- ParentRefs references the resources (usually Gateways) that a Route wants
- to be attached to. Note that the referenced parent resource needs to
- allow this for the attachment to be complete. For Gateways, that means
- the Gateway needs to allow attachment from Routes of this kind and
- namespace. For Services, that means the Service must either be in the same
- namespace for a "producer" route, or the mesh implementation must support
- and allow "consumer" routes for the referenced Service. ReferenceGrant is
- not applicable for governing ParentRefs to Services - it is not possible to
- create a "producer" route for a Service in a different namespace from the
- Route.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- There are two kinds of parent resources with "Core" support:
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |-
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
- This API may be extended in the future to support additional kinds of parent
- resources.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
- ParentRefs must be _distinct_. This means either that:
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
- * They select different objects. If this is the case, then parentRef
- entries are distinct. In terms of fields, this means that the
- multi-part key defined by `group`, `kind`, `namespace`, and `name` must
- be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field used,
- each ParentRef that selects the same object must set the same set of
- optional fields to different values. If one ParentRef sets a
- combination of optional fields, all must set the same combination.
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
- Some examples:
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
- * If one ParentRef sets `sectionName`, all ParentRefs referencing the
- same object must also set `sectionName`.
- * If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`.
- * If one ParentRef sets `sectionName` and `port`, all ParentRefs
- referencing the same object must also set `sectionName` and `port`.
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
- It is possible to separately reference multiple distinct objects that may
- be collapsed by an implementation. For example, some implementations may
- choose to merge compatible Gateway Listeners together. If that is the
- case, the list of routes attached to those resources should also be
- merged.
+ Support: Extended for Kubernetes Service
- Note that for ParentRefs that cross namespace boundaries, there are specific
- rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example,
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable other kinds of cross-namespace reference.
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+ Defaults to "Service" when not specified.
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
- items:
- description: |-
- ParentReference identifies an API object (usually a Gateway) that can be considered
- a parent of this resource (usually a route). There are two kinds of parent resources
- with "Core" support:
+ Support: Core (Services with a type other than ExternalName)
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- This API may be extended in the future to support additional kinds of parent
- resources.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
- properties:
- group:
- default: gateway.networking.k8s.io
- description: |-
- Group is the group of the referent.
- When unspecified, "gateway.networking.k8s.io" is inferred.
- To set the core API group (such as for a "Service" kind referent),
- Group must be explicitly set to "" (empty string).
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ fraction:
+ description: |-
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- description: |-
- Kind is kind of the referent.
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal
+ to denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |-
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
- There are two kinds of parent resources with "Core" support:
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be
+ specified in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
+ requestRedirect:
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
- * Gateway (Gateway conformance profile)
- * Service (Mesh conformance profile, ClusterIP Services only)
+ Support: Core
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
- Support for other resources is Implementation-Specific.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
- Support: Core
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent. When unspecified, this refers
- to the local namespace of the Route.
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- Note that there are specific rules for ParentRefs which cross namespace
- boundaries. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For example:
- Gateway has the AllowedRoutes field, and ReferenceGrant provides a
- generic way to enable any other kind of cross-namespace reference.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- ParentRefs from a Route to a Service in the same namespace are "producer"
- routes, which apply default routing rules to inbound connections from
- any namespace to the Service.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- ParentRefs from a Route to a Service in a different namespace are
- "consumer" routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the Route, for which
- the intended destination of the connections are a Service targeted as a
- ParentRef of the Route.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port is the network port this Route targets. It can be interpreted
- differently based on the type of parent resource.
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
- When the parent resource is a Gateway, this targets all listeners
- listening on the specified port that also support this kind of Route(and
- select this Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to a specific port
- as opposed to a listener(s) whose port(s) may be changed. When both Port
- and SectionName are specified, the name and port of the selected listener
- must match both specified values.
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
- When the parent resource is a Service, this targets a specific port in the
- Service spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified values.
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
- Implementations MAY choose to support other parent resources.
- Implementations supporting other types of parent resources MUST clearly
- document how/if Port is interpreted.
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
- For the purpose of status, an attachment is considered successful as
- long as the parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
- from the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- description: |-
- SectionName is the name of a section within the target resource. In the
- following resources, SectionName is interpreted as the following:
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- * Gateway: Listener name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
- * Service: Port name. When both Port (experimental) and SectionName
- are specified, the name and port of the selected listener must match
- both specified values.
+ Support: Extended
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
- Implementations MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName is
- interpreted.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- maxItems: 32
- type: array
- x-kubernetes-validations:
- - message: sectionName or port must be specified when parentRefs includes
- 2 or more references to the same parent
- rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
- || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
- == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
- p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
- || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
- == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
- || p2.port == 0)): true))'
- - message: sectionName or port must be unique when parentRefs includes
- 2 or more references to the same parent
- rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
- == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
- || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
- == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
- p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
- || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
- == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
- == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
- || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
- == p2.port))))
- rules:
- default:
- - matches:
- - path:
- type: PathPrefix
- value: /
- description: Rules are a list of HTTP matchers, filters and actions.
- items:
- description: |-
- HTTPRouteRule defines semantics for matching an HTTP request based on
- conditions (matches), processing it (filters), and forwarding the request to
- an API object (backendRefs).
- properties:
- backendRefs:
- description: |-
- BackendRefs defines the backend(s) where matching requests should be
- sent.
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
- Failure behavior here depends on how many BackendRefs are specified and
- how many are invalid.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- If *all* entries in BackendRefs are invalid, and there are also no filters
- specified in this route rule, *all* traffic which matches this rule MUST
- receive a 500 status code.
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- See the HTTPBackendRef definition for the rules about what makes a single
- HTTPBackendRef invalid.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
- requests that would have otherwise been routed to an invalid backend. If
- multiple backends are specified, and some are invalid, the proportion of
- requests that would otherwise have been routed to an invalid backend
- MUST receive a 500 status code.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- For example, if two backends are specified with equal weights, and one is
- invalid, 50 percent of traffic must receive a 500. Implementations may
- choose how that 50 percent is determined.
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- When a HTTPBackendRef refers to a Service that has no ready endpoints,
- implementations SHOULD return a 503 for requests to that backend instead.
- If an implementation chooses to do this, all of the above rules for 500 responses
- MUST also apply for responses that return a 503.
+ Config:
+ remove: ["my-header1", "my-header3"]
- Support: Core for Kubernetes Service
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- Support: Extended for Kubernetes ServiceImport
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Support: Implementation-specific for any other resource
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- Support for weight: Core
- items:
- description: |-
- HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Note that when a namespace different than the local namespace is specified, a
- ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
- When the BackendRef points to a Kubernetes Service, implementations SHOULD
- honor the appProtocol field if it is set for the target Service Port.
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
- Implementations supporting appProtocol SHOULD recognize the Kubernetes
- Standard Application Protocols defined in KEP-3726.
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
- If a Service appProtocol isn't specified, an implementation MAY infer the
- backend protocol through its own means. Implementations MAY infer the
- protocol from the Route type referring to the backend Service.
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
- If a Route is not able to send traffic to the backend using the specified
- protocol then the backend is considered invalid. Implementations MUST set the
- "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
- properties:
- filters:
- description: |-
- Filters defined at this level should be executed if and only if the
- request is being forwarded to the backend defined here.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Support: Implementation-specific (For broader support of filters, use the
- Filters field in HTTPRouteRule.)
- items:
- description: |-
- HTTPRouteFilter defines processing steps that must be completed during the
- request or response lifecycle. HTTPRouteFilters are meant as an extension
- point to express processing that may be done in Gateway implementations. Some
- examples include request or response modification, implementing
- authentication strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type of the filter.
- properties:
- cors:
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ - CORS
+ - ExternalAuth
+ type: string
+ urlRewrite:
description: |-
- CORS defines a schema for a filter that responds to the
- cross-origin request based on HTTP response header.
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
Support: Extended
properties:
- allowCredentials:
+ hostname:
description: |-
- AllowCredentials indicates whether the actual cross-origin request allows
- to include credentials.
-
- The only valid value for the `Access-Control-Allow-Credentials` response
- header is true (case-sensitive).
-
- If the credentials are not allowed in cross-origin requests, the gateway
- will omit the header `Access-Control-Allow-Credentials` entirely rather
- than setting its value to false.
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
Support: Extended
- enum:
- - true
- type: boolean
- allowHeaders:
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
description: |-
- AllowHeaders indicates which HTTP request headers are supported for
- accessing the requested resource.
-
- Header names are not case sensitive.
-
- Multiple header names in the value of the `Access-Control-Allow-Headers`
- response header are separated by a comma (",").
-
- When the `AllowHeaders` field is configured with one or more headers, the
- gateway must return the `Access-Control-Allow-Headers` response header
- which value is present in the `AllowHeaders` field.
+ Path defines a path rewrite.
- If any header name in the `Access-Control-Request-Headers` request header
- is not included in the list of header names specified by the response
- header `Access-Control-Allow-Headers`, it will present an error on the
- client side.
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- If any header name in the `Access-Control-Allow-Headers` response header
- does not recognize by the client, it will also occur an error on the
- client side.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- When the `AllowCredentials` field is specified and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
- HTTP headers in the value of the `Access-Control-Allow-Headers` response
- header. The value of the header `Access-Control-Allow-Headers` is same as
- the `Access-Control-Request-Headers` header provided by the client. If
- the header `Access-Control-Request-Headers` is not included in the
- request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- Support: Extended
- items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- Valid values include:
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified
+ when type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ?
+ has(self.replaceFullPath) : true'
+ - message: type must be 'ReplaceFullPath' when
+ replaceFullPath is set
+ rule: 'has(self.replaceFullPath) ? self.type
+ == ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified
+ when type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch''
+ ? has(self.replacePrefixMatch) : true'
+ - message: type must be 'ReplacePrefixMatch'
+ when replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil
+ if the filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type
+ != ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type
+ == ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil
+ if the filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type
+ != ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for
+ RequestMirror filter.type
+ rule: '!(!has(self.requestMirror) && self.type ==
+ ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the
+ filter.type is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type !=
+ ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified
+ for RequestRedirect filter.type
+ rule: '!(!has(self.requestRedirect) && self.type ==
+ ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for
+ ExtensionRef filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type
+ is not CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
+ - message: filter.externalAuth must be nil if the filter.type
+ is not ExternalAuth
+ rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
+ - message: filter.externalAuth must be specified for
+ ExternalAuth filter.type
+ rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'')
+ && self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size()
+ <= 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size()
+ <= 1
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- * "Authorization"
- * "Set-Cookie"
+ Defaults to "Service" when not specified.
- Invalid values include:
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- allowMethods:
- description: |-
- AllowMethods indicates which HTTP methods are supported for accessing the
- requested resource.
+ Support: Core (Services with a type other than ExternalName)
- Valid values are any method defined by RFC9110, along with the special
- value `*`, which represents all HTTP methods are allowed.
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- Method names are case sensitive, so these values are also case-sensitive.
- (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Multiple method names in the value of the `Access-Control-Allow-Methods`
- response header are separated by a comma (",").
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
- A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
- (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
- CORS-safelisted methods are always allowed, regardless of whether they
- are specified in the `AllowMethods` field.
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
- When the `AllowMethods` field is configured with one or more methods, the
- gateway must return the `Access-Control-Allow-Methods` response header
- which value is present in the `AllowMethods` field.
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ filters:
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
- If the HTTP method of the `Access-Control-Request-Method` request header
- is not included in the list of methods specified by the response header
- `Access-Control-Allow-Methods`, it will present an error on the client
- side.
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that cannot be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
- When the `AllowCredentials` field is specified and `AllowMethods` field
- specified with the `*` wildcard, the gateway must specify one HTTP method
- in the value of the Access-Control-Allow-Methods response header. The
- value of the header `Access-Control-Allow-Methods` is same as the
- `Access-Control-Request-Method` header provided by the client. If the
- header `Access-Control-Request-Method` is not included in the request,
- the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
- Support: Extended
- items:
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- - '*'
- type: string
- maxItems: 9
- type: array
- x-kubernetes-list-type: set
- x-kubernetes-validations:
- - message: AllowMethods cannot contain '*' alongside
- other methods
- rule: '!(''*'' in self && self.size() > 1)'
- allowOrigins:
- description: |-
- AllowOrigins indicates whether the response can be shared with requested
- resource from the given `Origin`.
+ Conformance-levels at this level are defined based on the type of filter:
- The `Origin` consists of a scheme and a host, with an optional port, and
- takes the form `://(:)`.
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
- Valid values for scheme are: `http` and `https`.
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
- Valid values for port are any integer between 1 and 65535 (the list of
- available TCP/UDP ports). Note that, if not included, port `80` is
- assumed for `http` scheme origins, and port `443` is assumed for `https`
- origins. This may affect origin matching.
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation cannot support other combinations of filters, they must clearly
+ document that limitation. In cases where incompatible or unsupported
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
- The host part of the origin may contain the wildcard character `*`. These
- wildcard characters behave as follows:
+ Support: Core
+ items:
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
+ properties:
+ cors:
+ description: |-
+ CORS defines a schema for a filter that responds to the
+ cross-origin request based on HTTP response header.
- * `*` is a greedy match to the _left_, including any number of
- DNS labels to the left of its position. This also means that
- `*` will include any number of period `.` characters to the
- left of its position.
- * A wildcard by itself matches all hosts.
+ Support: Extended
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether the actual cross-origin request allows
+ to include credentials.
- An origin value that includes _only_ the `*` character indicates requests
- from all `Origin`s are allowed.
+ When set to true, the gateway will include the `Access-Control-Allow-Credentials`
+ response header with value true (case-sensitive).
- When the `AllowOrigins` field is configured with multiple origins, it
- means the server supports clients from multiple origins. If the request
- `Origin` matches the configured allowed origins, the gateway must return
- the given `Origin` and sets value of the header
- `Access-Control-Allow-Origin` same as the `Origin` header provided by the
- client.
+ When set to false or omitted the gateway will omit the header
+ `Access-Control-Allow-Credentials` entirely (this is the standard CORS
+ behavior).
- The status code of a successful response to a "preflight" request is
- always an OK status (i.e., 204 or 200).
+ Support: Extended
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders indicates which HTTP request headers are supported for
+ accessing the requested resource.
- If the request `Origin` does not match the configured allowed origins,
- the gateway returns 204/200 response but doesn't set the relevant
- cross-origin response headers. Alternatively, the gateway responds with
- 403 status to the "preflight" request is denied, coupled with omitting
- the CORS headers. The cross-origin request fails on the client side.
- Therefore, the client doesn't attempt the actual cross-origin request.
+ Header names are not case sensitive.
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Multiple header names in the value of the `Access-Control-Allow-Headers`
+ response header are separated by a comma (",").
- When the `AllowCredentials` field is specified and `AllowOrigins` field
- specified with the `*` wildcard, the gateway must return a single origin
- in the value of the `Access-Control-Allow-Origin` response header,
- instead of specifying the `*` wildcard. The value of the header
- `Access-Control-Allow-Origin` is same as the `Origin` header provided by
- the client.
+ When the `AllowHeaders` field is configured with one or more headers, the
+ gateway must return the `Access-Control-Allow-Headers` response header
+ which value is present in the `AllowHeaders` field.
- Support: Extended
- items:
- description: |-
- The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
- encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
- include an authority MUST include a fully qualified domain name or
- IP address as the host.
- maxLength: 253
- minLength: 1
- pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- exposeHeaders:
- description: |-
- ExposeHeaders indicates which HTTP response headers can be exposed
- to client-side scripts in response to a cross-origin request.
+ If any header name in the `Access-Control-Request-Headers` request header
+ is not included in the list of header names specified by the response
+ header `Access-Control-Allow-Headers`, it will present an error on the
+ client side.
- A CORS-safelisted response header is an HTTP header in a CORS response
- that it is considered safe to expose to the client scripts.
- The CORS-safelisted response headers include the following headers:
- `Cache-Control`
- `Content-Language`
- `Content-Length`
- `Content-Type`
- `Expires`
- `Last-Modified`
- `Pragma`
- (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
- The CORS-safelisted response headers are exposed to client by default.
+ If any header name in the `Access-Control-Allow-Headers` response header
+ does not recognize by the client, it will also occur an error on the
+ client side.
- When an HTTP header name is specified using the `ExposeHeaders` field,
- this additional header will be exposed as part of the response to the
- client.
+ A wildcard indicates that the requests with all HTTP headers are allowed.
+ The `Access-Control-Allow-Headers` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Header names are not case sensitive.
+ When the `AllowCredentials` field is true and `AllowHeaders` field
+ specified with the `*` wildcard, the gateway must specify one or more
+ HTTP headers in the value of the `Access-Control-Allow-Headers` response
+ header. The value of the header `Access-Control-Allow-Headers` is same as
+ the `Access-Control-Request-Headers` header provided by the client. If
+ the header `Access-Control-Request-Headers` is not included in the
+ request, the gateway will omit the `Access-Control-Allow-Headers`
+ response header, instead of specifying the `*` wildcard. A Gateway
+ implementation may choose to add implementation-specific default headers.
- Multiple header names in the value of the `Access-Control-Expose-Headers`
- response header are separated by a comma (",").
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- A wildcard indicates that the responses with all HTTP headers are exposed
- to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is
- unspecified.
+ Valid values include:
- Support: Extended
- items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ * "Authorization"
+ * "Set-Cookie"
- Valid values include:
+ Invalid values include:
- * "Authorization"
- * "Set-Cookie"
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ allowMethods:
+ description: |-
+ AllowMethods indicates which HTTP methods are supported for accessing the
+ requested resource.
- Invalid values include:
+ Valid values are any method defined by RFC9110, along with the special
+ value `*`, which represents all HTTP methods are allowed.
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- maxAge:
- default: 5
- description: |-
- MaxAge indicates the duration (in seconds) for the client to cache the
- results of a "preflight" request.
+ Method names are case sensitive, so these values are also case-sensitive.
+ (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
- The information provided by the `Access-Control-Allow-Methods` and
- `Access-Control-Allow-Headers` response headers can be cached by the
- client until the time specified by `Access-Control-Max-Age` elapses.
+ Multiple method names in the value of the `Access-Control-Allow-Methods`
+ response header are separated by a comma (",").
- The default value of `Access-Control-Max-Age` response header is 5
- (seconds).
- format: int32
- minimum: 1
- type: integer
- type: object
- extensionRef:
- description: |-
- ExtensionRef is an optional, implementation-specific extension to the
- "filter" behavior. For example, resource "myroutefilter" in group
- "networking.example.net"). ExtensionRef MUST NOT be used for core and
- extended filters.
+ A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
+ CORS-safelisted methods are always allowed, regardless of whether they
+ are specified in the `AllowMethods` field.
- This filter can be used multiple times within the same rule.
+ When the `AllowMethods` field is configured with one or more methods, the
+ gateway must return the `Access-Control-Allow-Methods` response header
+ which value is present in the `AllowMethods` field.
- Support: Implementation-specific
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For
- example "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- requestHeaderModifier:
- description: |-
- RequestHeaderModifier defines a schema for a filter that modifies request
- headers.
+ If the HTTP method of the `Access-Control-Request-Method` request header
+ is not included in the list of methods specified by the response header
+ `Access-Control-Allow-Methods`, it will present an error on the client
+ side.
- Support: Core
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ The `Access-Control-Allow-Methods` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ When the `AllowCredentials` field is true and `AllowMethods` field
+ specified with the `*` wildcard, the gateway must specify one HTTP method
+ in the value of the Access-Control-Allow-Methods response header. The
+ value of the header `Access-Control-Allow-Methods` is same as the
+ `Access-Control-Request-Method` header provided by the client. If the
+ header `Access-Control-Request-Method` is not included in the request,
+ the gateway will omit the `Access-Control-Allow-Methods` response header,
+ instead of specifying the `*` wildcard. A Gateway implementation may
+ choose to add implementation-specific default methods.
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ Support: Extended
+ items:
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ - '*'
+ type: string
+ maxItems: 9
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowMethods cannot contain '*' alongside
+ other methods
+ rule: '!(''*'' in self && self.size() > 1)'
+ allowOrigins:
+ description: |-
+ AllowOrigins indicates whether the response can be shared with requested
+ resource from the given `Origin`.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ The `Origin` consists of a scheme and a host, with an optional port, and
+ takes the form `://(:)`.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Valid values for scheme are: `http` and `https`.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Valid values for port are any integer between 1 and 65535 (the list of
+ available TCP/UDP ports). Note that, if not included, port `80` is
+ assumed for `http` scheme origins, and port `443` is assumed for `https`
+ origins. This may affect origin matching.
- Config:
- remove: ["my-header1", "my-header3"]
+ The host part of the origin may contain the wildcard character `*`. These
+ wildcard characters behave as follows:
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ * `*` is a greedy match to the _left_, including any number of
+ DNS labels to the left of its position. This also means that
+ `*` will include any number of period `.` characters to the
+ left of its position.
+ * A wildcard by itself matches all hosts.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ An origin value that includes _only_ the `*` character indicates requests
+ from all `Origin`s are allowed.
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ When the `AllowOrigins` field is configured with multiple origins, it
+ means the server supports clients from multiple origins. If the request
+ `Origin` matches the configured allowed origins, the gateway must return
+ the given `Origin` and sets value of the header
+ `Access-Control-Allow-Origin` same as the `Origin` header provided by the
+ client.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ The status code of a successful response to a "preflight" request is
+ always an OK status (i.e., 204 or 200).
+
+ If the request `Origin` does not match the configured allowed origins,
+ the gateway returns 204/200 response but doesn't set the relevant
+ cross-origin response headers. Alternatively, the gateway responds with
+ 403 status to the "preflight" request is denied, coupled with omitting
+ the CORS headers. The cross-origin request fails on the client side.
+ Therefore, the client doesn't attempt the actual cross-origin request.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- requestMirror:
- description: |-
- RequestMirror defines a schema for a filter that mirrors requests.
- Requests are sent to the specified destination, but responses from
- that destination are ignored.
+ The `Access-Control-Allow-Origin` response header can only use `*`
+ wildcard as value when the `AllowCredentials` field is false or omitted.
- This filter can be used multiple times within the same rule. Note that
- not all implementations will be able to support mirroring to multiple
- backends.
+ When the `AllowCredentials` field is true and `AllowOrigins` field
+ specified with the `*` wildcard, the gateway must return a single origin
+ in the value of the `Access-Control-Allow-Origin` response header,
+ instead of specifying the `*` wildcard. The value of the header
+ `Access-Control-Allow-Origin` is same as the `Origin` header provided by
+ the client.
- Support: Extended
- properties:
- backendRef:
- description: |-
- BackendRef references a resource where mirrored requests are sent.
+ Support: Extended
+ items:
+ description: |-
+ The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
+ encoding rules specified in RFC3986. The CORSOrigin MUST include both a
+ scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+ URIs that include an authority MUST include a fully qualified domain name or
+ IP address as the host.
+ maxLength: 253
+ minLength: 1
+ pattern: (^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ x-kubernetes-validations:
+ - message: AllowOrigins cannot contain '*' alongside
+ other origins
+ rule: '!(''*'' in self && self.size() > 1)'
+ exposeHeaders:
+ description: |-
+ ExposeHeaders indicates which HTTP response headers can be exposed
+ to client-side scripts in response to a cross-origin request.
- Mirrored requests must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many endpoints are present
- within this BackendRef.
+ A CORS-safelisted response header is an HTTP header in a CORS response
+ that it is considered safe to expose to the client scripts.
+ The CORS-safelisted response headers include the following headers:
+ `Cache-Control`
+ `Content-Language`
+ `Content-Length`
+ `Content-Type`
+ `Expires`
+ `Last-Modified`
+ `Pragma`
+ (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
+ The CORS-safelisted response headers are exposed to client by default.
- If the referent cannot be found, this BackendRef is invalid and must be
- dropped from the Gateway. The controller must ensure the "ResolvedRefs"
- condition on the Route status is set to `status: False` and not configure
- this backend in the underlying implementation.
+ When an HTTP header name is specified using the `ExposeHeaders` field,
+ this additional header will be exposed as part of the response to the
+ client.
- If there is a cross-namespace reference to an *existing* object
- that is not allowed by a ReferenceGrant, the controller must ensure the
- "ResolvedRefs" condition on the Route is set to `status: False`,
- with the "RefNotPermitted" reason and not configure this backend in the
- underlying implementation.
+ Header names are not case sensitive.
- In either error case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about the problem.
+ Multiple header names in the value of the `Access-Control-Expose-Headers`
+ response header are separated by a comma (",").
- Support: Extended for Kubernetes Service
+ A wildcard indicates that the responses with all HTTP headers are exposed
+ to clients. The `Access-Control-Expose-Headers` response header can only
+ use `*` wildcard as value when the `AllowCredentials` field is false or omitted.
- Support: Implementation-specific for any other resource
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ Support: Extended
+ items:
+ description: |-
+ HTTPHeaderName is the name of an HTTP header.
- Defaults to "Service" when not specified.
+ Valid values include:
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ * "Authorization"
+ * "Set-Cookie"
- Support: Core (Services with a type other than ExternalName)
+ Invalid values include:
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
+ headers are not currently supported by this type.
+ - "/invalid" - "/ " is an invalid character
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: set
+ maxAge:
+ default: 5
+ description: |-
+ MaxAge indicates the duration (in seconds) for the client to cache the
+ results of a "preflight" request.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ The information provided by the `Access-Control-Allow-Methods` and
+ `Access-Control-Allow-Headers` response headers can be cached by the
+ client until the time specified by `Access-Control-Max-Age` elapses.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind
- == ''Service'') ? has(self.port) : true'
- fraction:
- description: |-
- Fraction represents the fraction of requests that should be
- mirrored to BackendRef.
+ The default value of `Access-Control-Max-Age` response header is 5
+ (seconds).
+ format: int32
+ minimum: 1
+ type: integer
+ type: object
+ extensionRef:
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- properties:
- denominator:
- default: 100
- format: int32
- minimum: 1
- type: integer
- numerator:
- format: int32
- minimum: 0
- type: integer
- required:
- - numerator
- type: object
- x-kubernetes-validations:
- - message: numerator must be less than or equal
- to denominator
- rule: self.numerator <= self.denominator
- percent:
- description: |-
- Percent represents the percentage of requests that should be
- mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
- requests) and its maximum value is 100 (indicating 100% of requests).
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ externalAuth:
+ description: |-
+ ExternalAuth configures settings related to sending request details
+ to an external auth service. The external service MUST authenticate
+ the request, and MAY authorize the request as well.
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- required:
- - backendRef
- type: object
- x-kubernetes-validations:
- - message: Only one of percent or fraction may be
- specified in HTTPRequestMirrorFilter
- rule: '!(has(self.percent) && has(self.fraction))'
- requestRedirect:
- description: |-
- RequestRedirect defines a schema for a filter that responds to the
- request with an HTTP redirection.
+ If there is any problem communicating with the external service,
+ this filter MUST fail closed.
- Support: Core
- properties:
- hostname:
- description: |-
- Hostname is the hostname to be used in the value of the `Location`
- header in the response.
- When empty, the hostname in the `Host` header of the request is used.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef is a reference to a backend to send authorization
+ requests to.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines parameters used to modify the path of the incoming request.
- The modified path is then used to construct the `Location` header. When
- empty, the request path is used as-is.
+ The backend must speak the selected protocol (GRPC or HTTP) on the
+ referenced port.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ If the backend service requires TLS, use BackendTLSPolicy to tell the
+ implementation to supply the TLS details to be used to connect to that
+ backend.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ Defaults to "Service" when not specified.
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ Support: Core (Services with a type other than ExternalName)
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified
- when type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ?
- has(self.replaceFullPath) : true'
- - message: type must be 'ReplaceFullPath' when
- replaceFullPath is set
- rule: 'has(self.replaceFullPath) ? self.type
- == ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified
- when type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch''
- ? has(self.replacePrefixMatch) : true'
- - message: type must be 'ReplacePrefixMatch'
- when replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- port:
- description: |-
- Port is the port to be used in the value of the `Location`
- header in the response.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- If no port is specified, the redirect port MUST be derived using the
- following rules:
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ forwardBody:
+ description: |-
+ ForwardBody controls if requests to the authorization server should include
+ the body of the client request; and if so, how big that body is allowed
+ to be.
- * If redirect scheme is not-empty, the redirect port MUST be the well-known
- port associated with the redirect scheme. Specifically "http" to port 80
- and "https" to port 443. If the redirect scheme does not have a
- well-known port, the listener port of the Gateway SHOULD be used.
- * If redirect scheme is empty, the redirect port MUST be the Gateway
- Listener port.
+ It is expected that implementations will buffer the request body up to
+ `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a
+ 4xx series error (413 or 403 are common examples), and fail processing
+ of the filter.
- Implementations SHOULD NOT add the port number in the 'Location'
- header in the following cases:
+ If unset, or `forwardBody.maxSize` is set to `0`, then the body will not
+ be forwarded.
- * A Location header that will use HTTP (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 80.
- * A Location header that will use HTTPS (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 443.
+ Feature Name: HTTPRouteExternalAuthForwardBody
+ properties:
+ maxSize:
+ description: |-
+ MaxSize specifies how large in bytes the largest body that will be buffered
+ and sent to the authorization server. If the body size is larger than
+ `maxSize`, then the body sent to the authorization server must be
+ truncated to `maxSize` bytes.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- scheme:
- description: |-
- Scheme is the scheme to be used in the value of the `Location` header in
- the response. When empty, the scheme of the request is used.
+ Experimental note: This behavior needs to be checked against
+ various dataplanes; it may need to be changed.
+ See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746
+ for more.
- Scheme redirects can affect the port of the redirect, for more information,
- refer to the documentation for the port field of this filter.
+ If 0, the body will not be sent to the authorization server.
+ type: integer
+ type: object
+ grpc:
+ description: |-
+ GRPCAuthConfig contains configuration for communication with ext_authz
+ protocol-speaking backends.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what headers from the client request
+ will be sent to the authorization server.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ If this list is empty, then all headers must be sent.
- Support: Extended
- enum:
- - http
- - https
+ If the list has entries, only those entries must be sent.
+ items:
type: string
- statusCode:
- default: 302
- description: |-
- StatusCode is the HTTP status code to be used in response.
+ type: array
+ x-kubernetes-list-type: set
+ type: object
+ http:
+ description: |-
+ HTTPAuthConfig contains configuration for communication with HTTP-speaking
+ backends.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ If unset, implementations must assume the default behavior for each
+ included field is intended.
+ properties:
+ allowedHeaders:
+ description: |-
+ AllowedRequestHeaders specifies what additional headers from the client request
+ will be sent to the authorization server.
+
+ The following headers must always be sent to the authorization server,
+ regardless of this setting:
+
+ * `Host`
+ * `Method`
+ * `Path`
+ * `Content-Length`
+ * `Authorization`
+
+ If this list is empty, then only those headers must be sent.
+
+ Note that `Content-Length` has a special behavior, in that the length
+ sent must be correct for the actual request to the external authorization
+ server - that is, it must reflect the actual number of bytes sent in the
+ body of the request to the authorization server.
+
+ So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set
+ to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set
+ to anything other than `0`, then the `Content-Length` of the authorization
+ request must be set to the actual number of bytes forwarded.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ allowedResponseHeaders:
+ description: |-
+ AllowedResponseHeaders specifies what headers from the authorization response
+ will be copied into the request to the backend.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ If this list is empty, then all headers from the authorization server
+ except Authority or Host must be copied.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: set
+ path:
+ description: |-
+ Path sets the prefix that paths from the client request will have added
+ when forwarded to the authorization server.
+
+ When empty or unspecified, no prefix is added.
+
+ Valid values are the same as the "value" regex for path values in the `match`
+ stanza, and the validation regex will screen out invalid paths in the same way.
+ Even with the validation, implementations MUST sanitize this input before using it
+ directly.
+ maxLength: 1024
+ pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$
+ type: string
+ type: object
+ protocol:
+ description: |-
+ ExternalAuthProtocol describes which protocol to use when communicating with an
+ ext_authz authorization server.
+
+ When this is set to GRPC, each backend must use the Envoy ext_authz protocol
+ on the port specified in `backendRefs`. Requests and responses are defined
+ in the protobufs explained at:
+ https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
+
+ When this is set to HTTP, each backend must respond with a `200` status
+ code in on a successful authorization. Any other code is considered
+ an authorization failure.
+
+ Feature Names:
+ GRPC Support - HTTPRouteExternalAuthGRPC
+ HTTP Support - HTTPRouteExternalAuthHTTP
+ enum:
+ - HTTP
+ - GRPC
+ type: string
+ required:
+ - backendRef
+ - protocol
+ type: object
+ x-kubernetes-validations:
+ - message: grpc must be specified when protocol is set
+ to 'GRPC'
+ rule: 'self.protocol == ''GRPC'' ? has(self.grpc) :
+ true'
+ - message: protocol must be 'GRPC' when grpc is set
+ rule: 'has(self.grpc) ? self.protocol == ''GRPC'' :
+ true'
+ - message: http must be specified when protocol is set
+ to 'HTTP'
+ rule: 'self.protocol == ''HTTP'' ? has(self.http) :
+ true'
+ - message: protocol must be 'HTTP' when http is set
+ rule: 'has(self.http) ? self.protocol == ''HTTP'' :
+ true'
+ requestHeaderModifier:
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Support: Core
- enum:
- - 301
- - 302
- type: integer
- type: object
- responseHeaderModifier:
- description: |-
- ResponseHeaderModifier defines a schema for a filter that modifies response
- headers.
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- Support: Extended
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
properties:
- add:
+ name:
description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
-
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Config:
+ remove: ["my-header1", "my-header3"]
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
- Config:
- remove: ["my-header1", "my-header3"]
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
+ Config:
set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
-
- Input:
- GET /foo HTTP/1.1
- my-header: foo
-
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ - name: "my-header"
+ value: "bar"
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP
- Header name and value as defined by RFC
- 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP
- Header to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
type: object
- type:
- description: |-
- Type identifies the type of filter to apply. As with other API fields,
- types are classified into three conformance levels:
-
- - Core: Filter types and their corresponding configuration defined by
- "Support: Core" in this package, e.g. "RequestHeaderModifier". All
- implementations must support core filters.
-
- - Extended: Filter types and their corresponding configuration defined by
- "Support: Extended" in this package, e.g. "RequestMirror". Implementers
- are encouraged to support extended filters.
-
- - Implementation-specific: Filters that are defined and supported by
- specific vendors.
- In the future, filters showing convergence in behavior across multiple
- implementations will be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type` should be set to
- "ExtensionRef" for custom filters.
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ requestMirror:
+ description: |-
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
- Implementers are encouraged to define custom implementation types to
- extend the core API with implementation-specific behavior.
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
- If a reference to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have been processed by
- that filter MUST receive a HTTP error response.
+ Support: Extended
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - RequestHeaderModifier
- - ResponseHeaderModifier
- - RequestMirror
- - RequestRedirect
- - URLRewrite
- - ExtensionRef
- - CORS
- type: string
- urlRewrite:
- description: |-
- URLRewrite defines a schema for a filter that modifies a request during forwarding.
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
- Support: Extended
- properties:
- hostname:
- description: |-
- Hostname is the value to be used to replace the Host header value during
- forwarding.
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
- Support: Extended
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines a path rewrite.
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ Support: Extended for Kubernetes Service
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ Support: Implementation-specific for any other resource
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ Defaults to "Service" when not specified.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Support: Core (Services with a type other than ExternalName)
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified
- when type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ?
- has(self.replaceFullPath) : true'
- - message: type must be 'ReplaceFullPath' when
- replaceFullPath is set
- rule: 'has(self.replaceFullPath) ? self.type
- == ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified
- when type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch''
- ? has(self.replacePrefixMatch) : true'
- - message: type must be 'ReplacePrefixMatch'
- when replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- type: object
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: filter.requestHeaderModifier must be nil
- if the filter.type is not RequestHeaderModifier
- rule: '!(has(self.requestHeaderModifier) && self.type
- != ''RequestHeaderModifier'')'
- - message: filter.requestHeaderModifier must be specified
- for RequestHeaderModifier filter.type
- rule: '!(!has(self.requestHeaderModifier) && self.type
- == ''RequestHeaderModifier'')'
- - message: filter.responseHeaderModifier must be nil
- if the filter.type is not ResponseHeaderModifier
- rule: '!(has(self.responseHeaderModifier) && self.type
- != ''ResponseHeaderModifier'')'
- - message: filter.responseHeaderModifier must be specified
- for ResponseHeaderModifier filter.type
- rule: '!(!has(self.responseHeaderModifier) && self.type
- == ''ResponseHeaderModifier'')'
- - message: filter.requestMirror must be nil if the filter.type
- is not RequestMirror
- rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
- - message: filter.requestMirror must be specified for
- RequestMirror filter.type
- rule: '!(!has(self.requestMirror) && self.type ==
- ''RequestMirror'')'
- - message: filter.requestRedirect must be nil if the
- filter.type is not RequestRedirect
- rule: '!(has(self.requestRedirect) && self.type !=
- ''RequestRedirect'')'
- - message: filter.requestRedirect must be specified
- for RequestRedirect filter.type
- rule: '!(!has(self.requestRedirect) && self.type ==
- ''RequestRedirect'')'
- - message: filter.urlRewrite must be nil if the filter.type
- is not URLRewrite
- rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
- - message: filter.urlRewrite must be specified for URLRewrite
- filter.type
- rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
- - message: filter.extensionRef must be nil if the filter.type
- is not ExtensionRef
- rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
- - message: filter.extensionRef must be specified for
- ExtensionRef filter.type
- rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type
- is not CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: May specify either httpRouteFilterRequestRedirect
- or httpRouteFilterRequestRewrite, but not both
- rule: '!(self.exists(f, f.type == ''RequestRedirect'')
- && self.exists(f, f.type == ''URLRewrite''))'
- - message: May specify either httpRouteFilterRequestRedirect
- or httpRouteFilterRequestRewrite, but not both
- rule: '!(self.exists(f, f.type == ''RequestRedirect'')
- && self.exists(f, f.type == ''URLRewrite''))'
- - message: RequestHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
- <= 1
- - message: ResponseHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
- <= 1
- - message: RequestRedirect filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestRedirect').size()
- <= 1
- - message: URLRewrite filter cannot be repeated
- rule: self.filter(f, f.type == 'URLRewrite').size()
- <= 1
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- Defaults to "Service" when not specified.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ fraction:
+ description: |-
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
- Support: Core (Services with a type other than ExternalName)
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to
+ denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |-
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ required:
+ - backendRef
+ type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be specified
+ in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
+ requestRedirect:
description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- description: |-
- Weight specifies the proportion of requests forwarded to the referenced
- backend. This is computed as weight/(sum of all weights in this
- BackendRefs list). For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision an
- implementation supports. Weight is not a percentage and the sum of
- weights does not need to equal 100.
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
- If only one backend is specified and it has a weight greater than 0, 100%
- of the traffic is forwarded to that backend. If weight is set to 0, no
- traffic should be forwarded for this entry. If unspecified, weight
- defaults to 1.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
- Support for this field varies based on the context where used.
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- maxItems: 16
- type: array
- filters:
- description: |-
- Filters define the filters that are applied to requests that match
- this rule.
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- Wherever possible, implementations SHOULD implement filters in the order
- they are specified.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- Implementations MAY choose to implement this ordering strictly, rejecting
- any combination or order of filters that cannot be supported. If implementations
- choose a strict interpretation of filter ordering, they MUST clearly document
- that behavior.
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- To reject an invalid combination or order of filters, implementations SHOULD
- consider the Route Rules with this configuration invalid. If all Route Rules
- in a Route are invalid, the entire Route would be considered invalid. If only
- a portion of Route Rules are invalid, implementations MUST set the
- "PartiallyInvalid" condition for the Route.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- Conformance-levels at this level are defined based on the type of filter:
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- - ALL core filters MUST be supported by all implementations.
- - Implementers are encouraged to support extended filters.
- - Implementation-specific custom filters have no API guarantees across
- implementations.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
- Specifying the same filter multiple times is not supported unless explicitly
- indicated in the filter.
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
- All filters are expected to be compatible with each other except for the
- URLRewrite and RequestRedirect filters, which may not be combined. If an
- implementation cannot support other combinations of filters, they must clearly
- document that limitation. In cases where incompatible or unsupported
- filters are specified and cause the `Accepted` condition to be set to status
- `False`, implementations may use the `IncompatibleFilters` reason to specify
- this configuration error.
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
- Support: Core
- items:
- description: |-
- HTTPRouteFilter defines processing steps that must be completed during the
- request or response lifecycle. HTTPRouteFilters are meant as an extension
- point to express processing that may be done in Gateway implementations. Some
- examples include request or response modification, implementing
- authentication strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type of the filter.
- properties:
- cors:
- description: |-
- CORS defines a schema for a filter that responds to the
- cross-origin request based on HTTP response header.
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
- Support: Extended
- properties:
- allowCredentials:
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ scheme:
description: |-
- AllowCredentials indicates whether the actual cross-origin request allows
- to include credentials.
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
- The only valid value for the `Access-Control-Allow-Credentials` response
- header is true (case-sensitive).
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- If the credentials are not allowed in cross-origin requests, the gateway
- will omit the header `Access-Control-Allow-Credentials` entirely rather
- than setting its value to false.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
Support: Extended
enum:
- - true
- type: boolean
- allowHeaders:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
description: |-
- AllowHeaders indicates which HTTP request headers are supported for
- accessing the requested resource.
-
- Header names are not case sensitive.
+ StatusCode is the HTTP status code to be used in response.
- Multiple header names in the value of the `Access-Control-Allow-Headers`
- response header are separated by a comma (",").
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- When the `AllowHeaders` field is configured with one or more headers, the
- gateway must return the `Access-Control-Allow-Headers` response header
- which value is present in the `AllowHeaders` field.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
- If any header name in the `Access-Control-Request-Headers` request header
- is not included in the list of header names specified by the response
- header `Access-Control-Allow-Headers`, it will present an error on the
- client side.
+ Support: Core
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ responseHeaderModifier:
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
- If any header name in the `Access-Control-Allow-Headers` response header
- does not recognize by the client, it will also occur an error on the
- client side.
+ Support: Extended
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
- A wildcard indicates that the requests with all HTTP headers are allowed.
- The `Access-Control-Allow-Headers` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- When the `AllowCredentials` field is specified and `AllowHeaders` field
- specified with the `*` wildcard, the gateway must specify one or more
- HTTP headers in the value of the `Access-Control-Allow-Headers` response
- header. The value of the header `Access-Control-Allow-Headers` is same as
- the `Access-Control-Request-Headers` header provided by the client. If
- the header `Access-Control-Request-Headers` is not included in the
- request, the gateway will omit the `Access-Control-Allow-Headers`
- response header, instead of specifying the `*` wildcard. A Gateway
- implementation may choose to add implementation-specific default headers.
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
- Support: Extended
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Valid values include:
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- * "Authorization"
- * "Set-Cookie"
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
- Invalid values include:
+ Config:
+ remove: ["my-header1", "my-header3"]
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
type: string
- maxItems: 64
+ maxItems: 16
type: array
x-kubernetes-list-type: set
- allowMethods:
+ set:
description: |-
- AllowMethods indicates which HTTP methods are supported for accessing the
- requested resource.
+ Set overwrites the request with the given header (name, value)
+ before the action.
- Valid values are any method defined by RFC9110, along with the special
- value `*`, which represents all HTTP methods are allowed.
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
- Method names are case sensitive, so these values are also case-sensitive.
- (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
- Multiple method names in the value of the `Access-Control-Allow-Methods`
- response header are separated by a comma (",").
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- A CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.
- (See https://fetch.spec.whatwg.org/#cors-safelisted-method) The
- CORS-safelisted methods are always allowed, regardless of whether they
- are specified in the `AllowMethods` field.
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ type:
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
- When the `AllowMethods` field is configured with one or more methods, the
- gateway must return the `Access-Control-Allow-Methods` response header
- which value is present in the `AllowMethods` field.
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
- If the HTTP method of the `Access-Control-Request-Method` request header
- is not included in the list of methods specified by the response header
- `Access-Control-Allow-Methods`, it will present an error on the client
- side.
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
- The `Access-Control-Allow-Methods` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - RequestHeaderModifier
+ - ResponseHeaderModifier
+ - RequestMirror
+ - RequestRedirect
+ - URLRewrite
+ - ExtensionRef
+ - CORS
+ - ExternalAuth
+ type: string
+ urlRewrite:
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
- When the `AllowCredentials` field is specified and `AllowMethods` field
- specified with the `*` wildcard, the gateway must specify one HTTP method
- in the value of the Access-Control-Allow-Methods response header. The
- value of the header `Access-Control-Allow-Methods` is same as the
- `Access-Control-Request-Method` header provided by the client. If the
- header `Access-Control-Request-Method` is not included in the request,
- the gateway will omit the `Access-Control-Allow-Methods` response header,
- instead of specifying the `*` wildcard. A Gateway implementation may
- choose to add implementation-specific default methods.
+ Support: Extended
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
Support: Extended
- items:
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- - '*'
- type: string
- maxItems: 9
- type: array
- x-kubernetes-list-type: set
- x-kubernetes-validations:
- - message: AllowMethods cannot contain '*' alongside
- other methods
- rule: '!(''*'' in self && self.size() > 1)'
- allowOrigins:
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
description: |-
- AllowOrigins indicates whether the response can be shared with requested
- resource from the given `Origin`.
-
- The `Origin` consists of a scheme and a host, with an optional port, and
- takes the form `://(:)`.
+ Path defines a path rewrite.
- Valid values for scheme are: `http` and `https`.
+ Support: Extended
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
- Valid values for port are any integer between 1 and 65535 (the list of
- available TCP/UDP ports). Note that, if not included, port `80` is
- assumed for `http` scheme origins, and port `443` is assumed for `https`
- origins. This may affect origin matching.
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
- The host part of the origin may contain the wildcard character `*`. These
- wildcard characters behave as follows:
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
- * `*` is a greedy match to the _left_, including any number of
- DNS labels to the left of its position. This also means that
- `*` will include any number of period `.` characters to the
- left of its position.
- * A wildcard by itself matches all hosts.
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
- An origin value that includes _only_ the `*` character indicates requests
- from all `Origin`s are allowed.
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
- When the `AllowOrigins` field is configured with multiple origins, it
- means the server supports clients from multiple origins. If the request
- `Origin` matches the configured allowed origins, the gateway must return
- the given `Origin` and sets value of the header
- `Access-Control-Allow-Origin` same as the `Origin` header provided by the
- client.
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: replaceFullPath must be specified when
+ type is set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type ==
+ ''ReplaceFullPath'' : true'
+ - message: replacePrefixMatch must be specified when
+ type is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when
+ replacePrefixMatch is set
+ rule: 'has(self.replacePrefixMatch) ? self.type
+ == ''ReplacePrefixMatch'' : true'
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: filter.requestHeaderModifier must be nil if the
+ filter.type is not RequestHeaderModifier
+ rule: '!(has(self.requestHeaderModifier) && self.type !=
+ ''RequestHeaderModifier'')'
+ - message: filter.requestHeaderModifier must be specified
+ for RequestHeaderModifier filter.type
+ rule: '!(!has(self.requestHeaderModifier) && self.type ==
+ ''RequestHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be nil if the
+ filter.type is not ResponseHeaderModifier
+ rule: '!(has(self.responseHeaderModifier) && self.type !=
+ ''ResponseHeaderModifier'')'
+ - message: filter.responseHeaderModifier must be specified
+ for ResponseHeaderModifier filter.type
+ rule: '!(!has(self.responseHeaderModifier) && self.type
+ == ''ResponseHeaderModifier'')'
+ - message: filter.requestMirror must be nil if the filter.type
+ is not RequestMirror
+ rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
+ - message: filter.requestMirror must be specified for RequestMirror
+ filter.type
+ rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
+ - message: filter.requestRedirect must be nil if the filter.type
+ is not RequestRedirect
+ rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
+ - message: filter.requestRedirect must be specified for RequestRedirect
+ filter.type
+ rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
+ - message: filter.urlRewrite must be nil if the filter.type
+ is not URLRewrite
+ rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
+ - message: filter.urlRewrite must be specified for URLRewrite
+ filter.type
+ rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
+ - message: filter.extensionRef must be nil if the filter.type
+ is not ExtensionRef
+ rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
+ - message: filter.extensionRef must be specified for ExtensionRef
+ filter.type
+ rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
+ - message: filter.cors must be nil if the filter.type is not
+ CORS
+ rule: '!(has(self.cors) && self.type != ''CORS'')'
+ - message: filter.cors must be specified for CORS filter.type
+ rule: '!(!has(self.cors) && self.type == ''CORS'')'
+ - message: filter.externalAuth must be nil if the filter.type
+ is not ExternalAuth
+ rule: '!(has(self.externalAuth) && self.type != ''ExternalAuth'')'
+ - message: filter.externalAuth must be specified for ExternalAuth
+ filter.type
+ rule: '!(!has(self.externalAuth) && self.type == ''ExternalAuth'')'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: May specify either httpRouteFilterRequestRedirect
+ or httpRouteFilterRequestRewrite, but not both
+ rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
+ self.exists(f, f.type == ''URLRewrite''))'
+ - message: RequestHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
+ <= 1
+ - message: ResponseHeaderModifier filter cannot be repeated
+ rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
+ <= 1
+ - message: RequestRedirect filter cannot be repeated
+ rule: self.filter(f, f.type == 'RequestRedirect').size() <=
+ 1
+ - message: URLRewrite filter cannot be repeated
+ rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
+ matches:
+ default:
+ - path:
+ type: PathPrefix
+ value: /
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
- The status code of a successful response to a "preflight" request is
- always an OK status (i.e., 204 or 200).
+ For example, take the following matches configuration:
- If the request `Origin` does not match the configured allowed origins,
- the gateway returns 204/200 response but doesn't set the relevant
- cross-origin response headers. Alternatively, the gateway responds with
- 403 status to the "preflight" request is denied, coupled with omitting
- the CORS headers. The cross-origin request fails on the client side.
- Therefore, the client doesn't attempt the actual cross-origin request.
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
- The `Access-Control-Allow-Origin` response header can only use `*`
- wildcard as value when the `AllowCredentials` field is unspecified.
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
- When the `AllowCredentials` field is specified and `AllowOrigins` field
- specified with the `*` wildcard, the gateway must return a single origin
- in the value of the `Access-Control-Allow-Origin` response header,
- instead of specifying the `*` wildcard. The value of the header
- `Access-Control-Allow-Origin` is same as the `Origin` header provided by
- the client.
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
- Support: Extended
- items:
- description: |-
- The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and
- encoding rules specified in RFC3986. The AbsoluteURI MUST include both a
- scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that
- include an authority MUST include a fully qualified domain name or
- IP address as the host.
- maxLength: 253
- minLength: 1
- pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- exposeHeaders:
- description: |-
- ExposeHeaders indicates which HTTP response headers can be exposed
- to client-side scripts in response to a cross-origin request.
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
- A CORS-safelisted response header is an HTTP header in a CORS response
- that it is considered safe to expose to the client scripts.
- The CORS-safelisted response headers include the following headers:
- `Cache-Control`
- `Content-Language`
- `Content-Length`
- `Content-Type`
- `Expires`
- `Last-Modified`
- `Pragma`
- (See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)
- The CORS-safelisted response headers are exposed to client by default.
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
- When an HTTP header name is specified using the `ExposeHeaders` field,
- this additional header will be exposed as part of the response to the
- client.
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
- Header names are not case sensitive.
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
- Multiple header names in the value of the `Access-Control-Expose-Headers`
- response header are separated by a comma (",").
+ Note: The precedence of RegularExpression path matches are implementation-specific.
- A wildcard indicates that the responses with all HTTP headers are exposed
- to clients. The `Access-Control-Expose-Headers` response header can only
- use `*` wildcard as value when the `AllowCredentials` field is
- unspecified.
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
- Support: Extended
- items:
- description: |-
- HTTPHeaderName is the name of an HTTP header.
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
- Valid values include:
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
- * "Authorization"
- * "Set-Cookie"
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
+ items:
+ description: "HTTPRouteMatch defines the predicate used to
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
+ properties:
+ headers:
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
+ items:
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- Invalid values include:
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
- - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo
- headers are not currently supported by this type.
- - "/invalid" - "/ " is an invalid character
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- maxAge:
- default: 5
- description: |-
- MaxAge indicates the duration (in seconds) for the client to cache the
- results of a "preflight" request.
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the header.
- The information provided by the `Access-Control-Allow-Methods` and
- `Access-Control-Allow-Headers` response headers can be cached by the
- client until the time specified by `Access-Control-Max-Age` elapses.
+ Support: Core (Exact)
- The default value of `Access-Control-Max-Age` response header is 5
- (seconds).
- format: int32
- minimum: 1
- type: integer
- type: object
- extensionRef:
- description: |-
- ExtensionRef is an optional, implementation-specific extension to the
- "filter" behavior. For example, resource "myroutefilter" in group
- "networking.example.net"). ExtensionRef MUST NOT be used for core and
- extended filters.
+ Support: Implementation-specific (RegularExpression)
- This filter can be used multiple times within the same rule.
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the value of HTTP Header to
+ be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ method:
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
- Support: Implementation-specific
+ Support: Extended
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ path:
+ default:
+ type: PathPrefix
+ value: /
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
properties:
- group:
+ type:
+ default: PathPrefix
description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For example
- "HTTPRoute" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
+ value:
+ default: /
+ description: Value of the HTTP path to match against.
+ maxLength: 1024
type: string
- required:
- - group
- - kind
- - name
type: object
- requestHeaderModifier:
- description: |-
- RequestHeaderModifier defines a schema for a filter that modifies request
- headers.
-
- Support: Core
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
+ x-kubernetes-validations:
+ - message: value must be an absolute path and start with
+ '/' when type one of ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
+ : true'
+ - message: must not contain '//' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
+ : true'
+ - message: must not contain '/./' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
+ : true'
+ - message: must not contain '/../' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
+ : true'
+ - message: must not contain '%2f' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
+ : true'
+ - message: must not contain '%2F' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
+ : true'
+ - message: must not contain '#' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
+ : true'
+ - message: must not end with '/..' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
+ : true'
+ - message: must not end with '/.' when type one of ['Exact',
+ 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
+ : true'
+ - message: type must be one of ['Exact', 'PathPrefix',
+ 'RegularExpression']
+ rule: self.type in ['Exact','PathPrefix'] || self.type
+ == 'RegularExpression'
+ - message: must only contain valid characters (matching
+ ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
+ for types ['Exact', 'PathPrefix']
+ rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
+ : true'
+ queryParams:
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Support: Extended
+ items:
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ type:
+ default: Exact
+ description: |-
+ Type specifies how to match against the value of the query parameter.
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Support: Extended (Exact)
- Config:
- remove: ["my-header1", "my-header3"]
+ Support: Implementation-specific (RegularExpression)
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
+ enum:
+ - Exact
+ - RegularExpression
type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ value:
+ description: Value is the value of HTTP query param
+ to be matched.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ retry:
+ description: |-
+ Retry defines the configuration for when to retry an HTTP request.
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ Support: Extended
+ properties:
+ attempts:
+ description: |-
+ Attempts specifies the maximum number of times an individual request
+ from the gateway to a backend should be retried.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ If the maximum number of retries has been attempted without a successful
+ response from the backend, the Gateway MUST return an error.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- requestMirror:
- description: |-
- RequestMirror defines a schema for a filter that mirrors requests.
- Requests are sent to the specified destination, but responses from
- that destination are ignored.
+ When this field is unspecified, the number of times to attempt to retry
+ a backend request is implementation-specific.
- This filter can be used multiple times within the same rule. Note that
- not all implementations will be able to support mirroring to multiple
- backends.
+ Support: Extended
+ type: integer
+ backoff:
+ description: |-
+ Backoff specifies the minimum duration a Gateway should wait between
+ retry attempts and is represented in Gateway API Duration formatting.
- Support: Extended
- properties:
- backendRef:
- description: |-
- BackendRef references a resource where mirrored requests are sent.
+ For example, setting the `rules[].retry.backoff` field to the value
+ `100ms` will cause a backend request to first be retried approximately
+ 100 milliseconds after timing out or receiving a response code configured
+ to be retryable.
- Mirrored requests must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many endpoints are present
- within this BackendRef.
+ An implementation MAY use an exponential or alternative backoff strategy
+ for subsequent retry attempts, MAY cap the maximum backoff duration to
+ some amount greater than the specified minimum, and MAY add arbitrary
+ jitter to stagger requests, as long as unsuccessful backend requests are
+ not retried before the configured minimum duration.
+
+ If a Request timeout (`rules[].timeouts.request`) is configured on the
+ route, the entire duration of the initial request and any retry attempts
+ MUST not exceed the Request timeout duration. If any retry attempts are
+ still in progress when the Request timeout duration has been reached,
+ these SHOULD be canceled if possible and the Gateway MUST immediately
+ return a timeout error.
+
+ If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+ configured on the route, any retry attempts which reach the configured
+ BackendRequest timeout duration without a response SHOULD be canceled if
+ possible and the Gateway should wait for at least the specified backoff
+ duration before attempting to retry the backend request again.
+
+ If a BackendRequest timeout is _not_ configured on the route, retry
+ attempts MAY time out after an implementation default duration, or MAY
+ remain pending until a configured Request timeout or implementation
+ default duration for total request time is reached.
+
+ When this field is unspecified, the time to wait between retry attempts
+ is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ codes:
+ description: |-
+ Codes defines the HTTP response status codes for which a backend request
+ should be retried.
- If the referent cannot be found, this BackendRef is invalid and must be
- dropped from the Gateway. The controller must ensure the "ResolvedRefs"
- condition on the Route status is set to `status: False` and not configure
- this backend in the underlying implementation.
+ Support: Extended
+ items:
+ description: |-
+ HTTPRouteRetryStatusCode defines an HTTP response status code for
+ which a backend request should be retried.
- If there is a cross-namespace reference to an *existing* object
- that is not allowed by a ReferenceGrant, the controller must ensure the
- "ResolvedRefs" condition on the Route is set to `status: False`,
- with the "RefNotPermitted" reason and not configure this backend in the
- underlying implementation.
+ Implementations MUST support the following status codes as retryable:
- In either error case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about the problem.
+ * 500
+ * 502
+ * 503
+ * 504
- Support: Extended for Kubernetes Service
+ Implementations MAY support specifying additional discrete values in the
+ 500-599 range.
- Support: Implementation-specific for any other resource
- properties:
- group:
- default: ""
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- description: |-
- Kind is the Kubernetes resource kind of the referent. For example
- "Service".
+ Implementations MAY support specifying discrete values in the 400-499 range,
+ which are often inadvisable to retry.
+ maximum: 599
+ minimum: 400
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ sessionPersistence:
+ description: |-
+ SessionPersistence defines and configures session persistence
+ for the route rule.
- Defaults to "Service" when not specified.
+ Support: Extended
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
- ExternalName services can refer to CNAME DNS records that may live
- outside of the cluster and as such are difficult to reason about in
- terms of conformance. They also may not be safe to forward to (see
- CVE-2021-25740 for more information). Implementations SHOULD NOT
- support ExternalName Services.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
- Support: Core (Services with a type other than ExternalName)
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
- Support: Implementation-specific (Services with type ExternalName)
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the backend. When unspecified, the local
- namespace is inferred.
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- description: |-
- Port specifies the destination port number to use for this resource.
- Port is required when the referent is a Kubernetes Service. In this
- case, the port number is the service port number, not the target port.
- For other resources, destination port might be derived from the referent
- resource or this field.
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- fraction:
- description: |-
- Fraction represents the fraction of requests that should be
- mirrored to BackendRef.
+ Defaults to "Session".
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- properties:
- denominator:
- default: 100
- format: int32
- minimum: 1
- type: integer
- numerator:
- format: int32
- minimum: 0
- type: integer
- required:
- - numerator
- type: object
- x-kubernetes-validations:
- - message: numerator must be less than or equal to
- denominator
- rule: self.numerator <= self.denominator
- percent:
- description: |-
- Percent represents the percentage of requests that should be
- mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
- requests) and its maximum value is 100 (indicating 100% of requests).
+ Support: Core for "Session" type
- Only one of Fraction or Percent may be specified. If neither field
- is specified, 100% of requests will be mirrored.
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- required:
- - backendRef
- type: object
- x-kubernetes-validations:
- - message: Only one of percent or fraction may be specified
- in HTTPRequestMirrorFilter
- rule: '!(has(self.percent) && has(self.fraction))'
- requestRedirect:
- description: |-
- RequestRedirect defines a schema for a filter that responds to the
- request with an HTTP redirection.
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
- Support: Core
- properties:
- hostname:
- description: |-
- Hostname is the hostname to be used in the value of the `Location`
- header in the response.
- When empty, the hostname in the `Host` header of the request is used.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines parameters used to modify the path of the incoming request.
- The modified path is then used to construct the `Location` header. When
- empty, the request path is used as-is.
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ Support: Core for "Cookie" type
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ timeouts:
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ Support: Extended
+ properties:
+ backendRequest:
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified when
- type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
- : true'
- - message: type must be 'ReplaceFullPath' when replaceFullPath
- is set
- rule: 'has(self.replaceFullPath) ? self.type ==
- ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified when
- type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
- : true'
- - message: type must be 'ReplacePrefixMatch' when
- replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- port:
- description: |-
- Port is the port to be used in the value of the `Location`
- header in the response.
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
- If no port is specified, the redirect port MUST be derived using the
- following rules:
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ request:
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
- * If redirect scheme is not-empty, the redirect port MUST be the well-known
- port associated with the redirect scheme. Specifically "http" to port 80
- and "https" to port 443. If the redirect scheme does not have a
- well-known port, the listener port of the Gateway SHOULD be used.
- * If redirect scheme is empty, the redirect port MUST be the Gateway
- Listener port.
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
- Implementations SHOULD NOT add the port number in the 'Location'
- header in the following cases:
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
- * A Location header that will use HTTP (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 80.
- * A Location header that will use HTTPS (whether that is determined via
- the Listener protocol or the Scheme field) _and_ use port 443.
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
- Support: Extended
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- scheme:
- description: |-
- Scheme is the scheme to be used in the value of the `Location` header in
- the response. When empty, the scheme of the request is used.
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
+ field is unspecified, request timeout behavior is implementation-specific.
- Scheme redirects can affect the port of the redirect, for more information,
- refer to the documentation for the port field of this filter.
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRequest timeout cannot be longer than request
+ timeout
+ rule: '!(has(self.request) && has(self.backendRequest) &&
+ duration(self.request) != duration(''0s'') && duration(self.backendRequest)
+ > duration(self.request))'
+ type: object
+ x-kubernetes-validations:
+ - message: RequestRedirect filter must not be used together with
+ backendRefs
+ rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
+ (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
+ true'
+ - message: When using RequestRedirect filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
+ self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: When using URLRewrite filter with path.replacePrefixMatch,
+ exactly one PathPrefix match must be specified
+ rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ - message: Within backendRefs, when using RequestRedirect filter
+ with path.replacePrefixMatch, exactly one PathPrefix match must
+ be specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
+ && has(f.requestRedirect.path) && f.requestRedirect.path.type
+ == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
+ )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
+ || self.matches[0].path.type != ''PathPrefix'') ? false : true)
+ : true'
+ - message: Within backendRefs, When using URLRewrite filter with
+ path.replacePrefixMatch, exactly one PathPrefix match must be
+ specified
+ rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
+ (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
+ && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
+ && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
+ != 1 || !has(self.matches[0].path) || self.matches[0].path.type
+ != ''PathPrefix'') ? false : true) : true'
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
+ type: object
+ status:
+ description: Status defines the current state of HTTPRoute.
+ properties:
+ parents:
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
+ items:
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
+ properties:
+ conditions:
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
- Support: Extended
- enum:
- - http
- - https
- type: string
- statusCode:
- default: 302
- description: |-
- StatusCode is the HTTP status code to be used in response.
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
- Support: Core
- enum:
- - 301
- - 302
- type: integer
- type: object
- responseHeaderModifier:
+ * The Route refers to a nonexistent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
description: |-
- ResponseHeaderModifier defines a schema for a filter that modifies response
- headers.
-
- Support: Extended
- properties:
- add:
- description: |-
- Add adds the given header(s) (name, value) to the request
- before the action. It appends to any existing values associated
- with the header name.
-
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
- Config:
- add:
- - name: "my-header"
- value: "bar,baz"
+ Example: "example.net/gateway-controller".
- Output:
- GET /foo HTTP/1.1
- my-header: foo,bar,baz
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- description: |-
- Remove the given header(s) from the HTTP request before the action. The
- value of Remove is a list of HTTP header names. Note that the header
- names are case-insensitive (see
- https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ parentRef:
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
- Input:
- GET /foo HTTP/1.1
- my-header1: foo
- my-header2: bar
- my-header3: baz
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
- Config:
- remove: ["my-header1", "my-header3"]
+ There are two kinds of parent resources with "Core" support:
- Output:
- GET /foo HTTP/1.1
- my-header2: bar
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- description: |-
- Set overwrites the request with the given header (name, value)
- before the action.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Input:
- GET /foo HTTP/1.1
- my-header: foo
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
- Config:
- set:
- - name: "my-header"
- value: "bar"
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
- Output:
- GET /foo HTTP/1.1
- my-header: bar
- items:
- description: HTTPHeader represents an HTTP Header
- name and value as defined by RFC 7230.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
- If multiple entries specify equivalent header names, the first entry with
- an equivalent name MUST be considered for a match. Subsequent entries
- with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- description: Value is the value of HTTP Header
- to be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type:
- description: |-
- Type identifies the type of filter to apply. As with other API fields,
- types are classified into three conformance levels:
- - Core: Filter types and their corresponding configuration defined by
- "Support: Core" in this package, e.g. "RequestHeaderModifier". All
- implementations must support core filters.
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- - Extended: Filter types and their corresponding configuration defined by
- "Support: Extended" in this package, e.g. "RequestMirror". Implementers
- are encouraged to support extended filters.
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
- - Implementation-specific: Filters that are defined and supported by
- specific vendors.
- In the future, filters showing convergence in behavior across multiple
- implementations will be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type` should be set to
- "ExtensionRef" for custom filters.
- Implementers are encouraged to define custom implementation types to
- extend the core API with implementation-specific behavior.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
- If a reference to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have been processed by
- that filter MUST receive a HTTP error response.
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - RequestHeaderModifier
- - ResponseHeaderModifier
- - RequestMirror
- - RequestRedirect
- - URLRewrite
- - ExtensionRef
- - CORS
- type: string
- urlRewrite:
- description: |-
- URLRewrite defines a schema for a filter that modifies a request during forwarding.
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
- Support: Extended
- properties:
- hostname:
- description: |-
- Hostname is the value to be used to replace the Host header value during
- forwarding.
- Support: Extended
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- path:
- description: |-
- Path defines a path rewrite.
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
- Support: Extended
- properties:
- replaceFullPath:
- description: |-
- ReplaceFullPath specifies the value with which to replace the full path
- of a request during a rewrite or redirect.
- maxLength: 1024
- type: string
- replacePrefixMatch:
- description: |-
- ReplacePrefixMatch specifies the value with which to replace the prefix
- match of a request during a rewrite or redirect. For example, a request
- to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
- of "/xyz" would be modified to "/xyz/bar".
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
- Note that this matches the behavior of the PathPrefix match type. This
- matches full path elements. A path element refers to the list of labels
- in the path split by the `/` separator. When specified, a trailing `/` is
- ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
- match the prefix `/abc`, but the path `/abcd` would not.
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
- ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
- the implementation setting the Accepted Condition for the Route to `status: False`.
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
- Request Path | Prefix Match | Replace Prefix | Modified Path
- maxLength: 1024
- type: string
- type:
- description: |-
- Type defines the type of path modifier. Additional types may be
- added in a future release of the API.
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
- Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause a crash.
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
- Unknown values here must result in the implementation setting the
- Accepted Condition for the Route to `status: False`, with a
- Reason of `UnsupportedValue`.
- enum:
- - ReplaceFullPath
- - ReplacePrefixMatch
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: replaceFullPath must be specified when
- type is set to 'ReplaceFullPath'
- rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
- : true'
- - message: type must be 'ReplaceFullPath' when replaceFullPath
- is set
- rule: 'has(self.replaceFullPath) ? self.type ==
- ''ReplaceFullPath'' : true'
- - message: replacePrefixMatch must be specified when
- type is set to 'ReplacePrefixMatch'
- rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
- : true'
- - message: type must be 'ReplacePrefixMatch' when
- replacePrefixMatch is set
- rule: 'has(self.replacePrefixMatch) ? self.type
- == ''ReplacePrefixMatch'' : true'
- type: object
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: filter.requestHeaderModifier must be nil if the
- filter.type is not RequestHeaderModifier
- rule: '!(has(self.requestHeaderModifier) && self.type !=
- ''RequestHeaderModifier'')'
- - message: filter.requestHeaderModifier must be specified
- for RequestHeaderModifier filter.type
- rule: '!(!has(self.requestHeaderModifier) && self.type ==
- ''RequestHeaderModifier'')'
- - message: filter.responseHeaderModifier must be nil if the
- filter.type is not ResponseHeaderModifier
- rule: '!(has(self.responseHeaderModifier) && self.type !=
- ''ResponseHeaderModifier'')'
- - message: filter.responseHeaderModifier must be specified
- for ResponseHeaderModifier filter.type
- rule: '!(!has(self.responseHeaderModifier) && self.type
- == ''ResponseHeaderModifier'')'
- - message: filter.requestMirror must be nil if the filter.type
- is not RequestMirror
- rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')'
- - message: filter.requestMirror must be specified for RequestMirror
- filter.type
- rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')'
- - message: filter.requestRedirect must be nil if the filter.type
- is not RequestRedirect
- rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')'
- - message: filter.requestRedirect must be specified for RequestRedirect
- filter.type
- rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')'
- - message: filter.urlRewrite must be nil if the filter.type
- is not URLRewrite
- rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')'
- - message: filter.urlRewrite must be specified for URLRewrite
- filter.type
- rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')'
- - message: filter.extensionRef must be nil if the filter.type
- is not ExtensionRef
- rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')'
- - message: filter.extensionRef must be specified for ExtensionRef
- filter.type
- rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')'
- - message: filter.cors must be nil if the filter.type is not
- CORS
- rule: '!(has(self.cors) && self.type != ''CORS'')'
- - message: filter.cors must be specified for CORS filter.type
- rule: '!(!has(self.cors) && self.type == ''CORS'')'
- maxItems: 16
- type: array
- x-kubernetes-validations:
- - message: May specify either httpRouteFilterRequestRedirect
- or httpRouteFilterRequestRewrite, but not both
- rule: '!(self.exists(f, f.type == ''RequestRedirect'') &&
- self.exists(f, f.type == ''URLRewrite''))'
- - message: RequestHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestHeaderModifier').size()
- <= 1
- - message: ResponseHeaderModifier filter cannot be repeated
- rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
- <= 1
- - message: RequestRedirect filter cannot be repeated
- rule: self.filter(f, f.type == 'RequestRedirect').size() <=
- 1
- - message: URLRewrite filter cannot be repeated
- rule: self.filter(f, f.type == 'URLRewrite').size() <= 1
- matches:
- default:
- - path:
- type: PathPrefix
- value: /
- description: |-
- Matches define conditions used for matching the rule against incoming
- HTTP requests. Each match is independent, i.e. this rule will be matched
- if **any** one of the matches is satisfied.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - conditions
+ - controllerName
+ - parentRef
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - parents
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.4.1
+ gateway.networking.k8s.io/channel: experimental
+ name: referencegrants.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: ReferenceGrant
+ listKind: ReferenceGrantList
+ plural: referencegrants
+ shortNames:
+ - refgrant
+ singular: referencegrant
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
- For example, take the following matches configuration:
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
- ```
- matches:
- - path:
- value: "/foo"
- headers:
- - name: "version"
- value: "v2"
- - path:
- value: "/v2/foo"
- ```
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
- For a request to match against this rule, a request must satisfy
- EITHER of the two conditions:
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ReferenceGrant.
+ properties:
+ from:
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
- - path prefixed with `/foo` AND contains the header `version: v2`
- - path prefix of `/v2/foo`
+ Support: Core
+ items:
+ description: ReferenceGrantFrom describes trusted namespaces and
+ kinds.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
- See the documentation for HTTPRouteMatch on how to specify multiple
- match conditions that should be ANDed together.
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
- If no matches are specified, the default is a prefix
- path match on "/", which has the effect of matching every
- HTTP request.
+ When used to permit a SecretObjectReference:
- Proxy or Load Balancer routing configuration generated from HTTPRoutes
- MUST prioritize matches based on the following criteria, continuing on
- ties. Across all rules specified on applicable Routes, precedence must be
- given to the match having:
+ * Gateway
- * "Exact" path match.
- * "Prefix" path match with largest number of characters.
- * Method match.
- * Largest number of header matches.
- * Largest number of query param matches.
+ When used to permit a BackendObjectReference:
- Note: The precedence of RegularExpression path matches are implementation-specific.
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
- If ties still exist across multiple Routes, matching precedence MUST be
- determined in order of the following criteria, continuing on ties:
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - namespace
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
- * The oldest Route based on creation timestamp.
- * The Route appearing first in alphabetical order by
- "{namespace}/{name}".
+ Support: Core
+ items:
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
- If ties still exist within an HTTPRoute, matching precedence MUST be granted
- to the FIRST matching rule (in list order) with a match meeting the above
- criteria.
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
- When no rules matching a request have been successfully attached to the
- parent a request is coming from, a HTTP 404 status code MUST be returned.
- items:
- description: "HTTPRouteMatch defines the predicate used to
- match requests to a given\naction. Multiple match types
- are ANDed together, i.e. the match will\nevaluate to true
- only if all conditions are satisfied.\n\nFor example, the
- match below will match a HTTP request only if its path\nstarts
- with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
- \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
- \ value \"v1\"\n\n```"
- properties:
- headers:
- description: |-
- Headers specifies HTTP request header matchers. Multiple match values are
- ANDed together, meaning, a request must match all the specified headers
- to select the route.
- items:
- description: |-
- HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
- headers.
- properties:
- name:
- description: |-
- Name is the name of the HTTP Header to be matched. Name matching MUST be
- case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - from
+ - to
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.4.1
+ gateway.networking.k8s.io/channel: experimental
+ name: tcproutes.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: TCPRoute
+ listKind: TCPRouteList
+ plural: tcproutes
+ singular: tcproute
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha2
+ schema:
+ openAPIV3Schema:
+ description: |-
+ TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ listener, it can be used to forward connections on the port specified by the
+ listener to a set of backends specified by the TCPRoute.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of TCPRoute.
+ properties:
+ parentRefs:
+ description: |-
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
- If multiple entries specify equivalent header names, only the first
- entry with an equivalent name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST be ignored. Due to the
- case-insensitivity of header names, "foo" and "Foo" are considered
- equivalent.
+ There are two kinds of parent resources with "Core" support:
- When a header is repeated in an HTTP request, it is
- implementation-specific behavior as to how this is represented.
- Generally, proxies should follow the guidance from the RFC:
- https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
- processing a repeated header, with special handling for "Set-Cookie".
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- description: |-
- Type specifies how to match against the value of the header.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Support: Core (Exact)
+ This API may be extended in the future to support additional kinds of parent
+ resources.
- Support: Implementation-specific (RegularExpression)
+ ParentRefs must be _distinct_. This means either that:
- Since RegularExpression HeaderMatchType has implementation-specific
- conformance, implementations can support POSIX, PCRE or any other dialects
- of regular expressions. Please read the implementation's documentation to
- determine the supported dialect.
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- description: Value is the value of HTTP Header to
- be matched.
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- method:
- description: |-
- Method specifies HTTP method matcher.
- When specified, this route will be matched only if the request has the
- specified method.
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
- Support: Extended
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- type: string
- path:
- default:
- type: PathPrefix
- value: /
- description: |-
- Path specifies a HTTP request path matcher. If this field is not
- specified, a default prefix match on the "/" path is provided.
- properties:
- type:
- default: PathPrefix
- description: |-
- Type specifies how to match against the path Value.
+ Some examples:
- Support: Core (Exact, PathPrefix)
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
+ * If one ParentRef sets `port`, all ParentRefs referencing the same
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
- Support: Implementation-specific (RegularExpression)
- enum:
- - Exact
- - PathPrefix
- - RegularExpression
- type: string
- value:
- default: /
- description: Value of the HTTP path to match against.
- maxLength: 1024
- type: string
- type: object
- x-kubernetes-validations:
- - message: value must be an absolute path and start with
- '/' when type one of ['Exact', 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'')
- : true'
- - message: must not contain '//' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'')
- : true'
- - message: must not contain '/./' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'')
- : true'
- - message: must not contain '/../' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'')
- : true'
- - message: must not contain '%2f' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'')
- : true'
- - message: must not contain '%2F' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'')
- : true'
- - message: must not contain '#' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'')
- : true'
- - message: must not end with '/..' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'')
- : true'
- - message: must not end with '/.' when type one of ['Exact',
- 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'')
- : true'
- - message: type must be one of ['Exact', 'PathPrefix',
- 'RegularExpression']
- rule: self.type in ['Exact','PathPrefix'] || self.type
- == 'RegularExpression'
- - message: must only contain valid characters (matching
- ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$)
- for types ['Exact', 'PathPrefix']
- rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
- : true'
- queryParams:
- description: |-
- QueryParams specifies HTTP query parameter matchers. Multiple match
- values are ANDed together, meaning, a request must match all the
- specified query parameters to select the route.
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
- Support: Extended
- items:
- description: |-
- HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
- query parameters.
- properties:
- name:
- description: |-
- Name is the name of the HTTP query param to be matched. This must be an
- exact string match. (See
- https://tools.ietf.org/html/rfc7230#section-2.7.3).
+ Note that for ParentRefs that cross namespace boundaries, there are specific
+ rules. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
- If multiple entries specify equivalent query param names, only the first
- entry with an equivalent name MUST be considered for a match. Subsequent
- entries with an equivalent query param name MUST be ignored.
- If a query param is repeated in an HTTP request, the behavior is
- purposely left undefined, since different data planes have different
- capabilities. However, it is *recommended* that implementations should
- match against the first value of the param if the data plane supports it,
- as this behavior is expected in other load balancing contexts outside of
- the Gateway API.
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- Users SHOULD NOT route traffic based on repeated query params to guard
- themselves against potential differences in the implementations.
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- description: |-
- Type specifies how to match against the value of the query parameter.
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+ items:
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
- Support: Extended (Exact)
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- Support: Implementation-specific (RegularExpression)
+ This API may be extended in the future to support additional kinds of parent
+ resources.
- Since RegularExpression QueryParamMatchType has Implementation-specific
- conformance, implementations can support POSIX, PCRE or any other
- dialects of regular expressions. Please read the implementation's
- documentation to determine the supported dialect.
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- description: Value is the value of HTTP query param
- to be matched.
- maxLength: 1024
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- maxItems: 64
- type: array
- name:
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
description: |-
- Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
- Support: Extended
+ Support: Core
maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- retry:
+ kind:
+ default: Gateway
description: |-
- Retry defines the configuration for when to retry an HTTP request.
+ Kind is kind of the referent.
- Support: Extended
- properties:
- attempts:
- description: |-
- Attempts specifies the maximum number of times an individual request
- from the gateway to a backend should be retried.
+ There are two kinds of parent resources with "Core" support:
- If the maximum number of retries has been attempted without a successful
- response from the backend, the Gateway MUST return an error.
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
- When this field is unspecified, the number of times to attempt to retry
- a backend request is implementation-specific.
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
- Support: Extended
- type: integer
- backoff:
- description: |-
- Backoff specifies the minimum duration a Gateway should wait between
- retry attempts and is represented in Gateway API Duration formatting.
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
- For example, setting the `rules[].retry.backoff` field to the value
- `100ms` will cause a backend request to first be retried approximately
- 100 milliseconds after timing out or receiving a response code configured
- to be retryable.
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
- An implementation MAY use an exponential or alternative backoff strategy
- for subsequent retry attempts, MAY cap the maximum backoff duration to
- some amount greater than the specified minimum, and MAY add arbitrary
- jitter to stagger requests, as long as unsuccessful backend requests are
- not retried before the configured minimum duration.
- If a Request timeout (`rules[].timeouts.request`) is configured on the
- route, the entire duration of the initial request and any retry attempts
- MUST not exceed the Request timeout duration. If any retry attempts are
- still in progress when the Request timeout duration has been reached,
- these SHOULD be canceled if possible and the Gateway MUST immediately
- return a timeout error.
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
- If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
- configured on the route, any retry attempts which reach the configured
- BackendRequest timeout duration without a response SHOULD be canceled if
- possible and the Gateway should wait for at least the specified backoff
- duration before attempting to retry the backend request again.
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
- If a BackendRequest timeout is _not_ configured on the route, retry
- attempts MAY time out after an implementation default duration, or MAY
- remain pending until a configured Request timeout or implementation
- default duration for total request time is reached.
- When this field is unspecified, the time to wait between retry attempts
- is implementation-specific.
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- codes:
- description: |-
- Codes defines the HTTP response status codes for which a backend request
- should be retried.
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
- Support: Extended
- items:
- description: |-
- HTTPRouteRetryStatusCode defines an HTTP response status code for
- which a backend request should be retried.
- Implementations MUST support the following status codes as retryable:
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
- * 500
- * 502
- * 503
- * 504
- Implementations MAY support specifying additional discrete values in the
- 500-599 range.
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
- Implementations MAY support specifying discrete values in the 400-499 range,
- which are often inadvisable to retry.
- maximum: 599
- minimum: 400
- type: integer
- type: array
- type: object
- sessionPersistence:
- description: |-
- SessionPersistence defines and configures session persistence
- for the route rule.
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
Support: Extended
- properties:
- absoluteTimeout:
- description: |-
- AbsoluteTimeout defines the absolute timeout of the persistent
- session. Once the AbsoluteTimeout duration has elapsed, the
- session becomes invalid.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- cookieConfig:
- description: |-
- CookieConfig provides configuration settings that are specific
- to cookie-based session persistence.
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
- Support: Core
- properties:
- lifetimeType:
- default: Session
- description: |-
- LifetimeType specifies whether the cookie has a permanent or
- session-based lifetime. A permanent cookie persists until its
- specified expiry time, defined by the Expires or Max-Age cookie
- attributes, while a session cookie is deleted when the current
- session ends.
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
- When set to "Permanent", AbsoluteTimeout indicates the
- cookie's lifetime via the Expires or Max-Age cookie attributes
- and is required.
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 32
+ type: array
+ x-kubernetes-list-type: atomic
+ x-kubernetes-validations:
+ - message: sectionName or port must be specified when parentRefs includes
+ 2 or more references to the same parent
+ rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__
+ == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName)
+ || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName
+ == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port)
+ || p2.port == 0)): true))'
+ - message: sectionName or port must be unique when parentRefs includes
+ 2 or more references to the same parent
+ rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind
+ == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__)
+ || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__
+ == '')) || (has(p1.__namespace__) && has(p2.__namespace__) &&
+ p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName)
+ || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName
+ == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName
+ == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port)
+ || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
+ == p2.port))))
+ rules:
+ description: Rules are a list of TCP matchers and actions.
+ items:
+ description: TCPRouteRule is the configuration for a given rule.
+ properties:
+ backendRefs:
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a nonexistent resource or a
+ Service with no endpoints), the underlying implementation MUST actively
+ reject connection attempts to this backend. Connection rejections must
+ respect weight; if an invalid backend is requested to have 80% of
+ connections, then 80% of connections must be rejected instead.
- When set to "Session", AbsoluteTimeout indicates the
- absolute lifetime of the cookie tracked by the gateway and
- is optional.
+ Support: Core for Kubernetes Service
- Defaults to "Session".
+ Support: Extended for Kubernetes ServiceImport
- Support: Core for "Session" type
+ Support: Implementation-specific for any other resource
- Support: Extended for "Permanent" type
- enum:
- - Permanent
- - Session
- type: string
- type: object
- idleTimeout:
- description: |-
- IdleTimeout defines the idle timeout of the persistent session.
- Once the session has been idle for more than the specified
- IdleTimeout duration, the session becomes invalid.
+ Support for weight: Extended
+ items:
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- sessionName:
- description: |-
- SessionName defines the name of the persistent session token
- which may be reflected in the cookie or the header. Users
- should avoid reusing session names to prevent unintended
- consequences, such as rejection or unpredictable behavior.
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Support: Implementation-specific
- maxLength: 128
- type: string
- type:
- default: Cookie
- description: |-
- Type defines the type of session persistence such as through
- the use a header or cookie. Defaults to cookie based session
- persistence.
- Support: Core for "Cookie" type
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
- Support: Extended for "Header" type
- enum:
- - Cookie
- - Header
- type: string
- type: object
- x-kubernetes-validations:
- - message: AbsoluteTimeout must be specified when cookie lifetimeType
- is Permanent
- rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
- || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
- timeouts:
- description: |-
- Timeouts defines the timeouts that can be configured for an HTTP request.
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
- Support: Extended
- properties:
- backendRequest:
- description: |-
- BackendRequest specifies a timeout for an individual request from the gateway
- to a backend. This covers the time from when the request first starts being
- sent from the gateway to when the full response has been received from the backend.
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
- Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
- completely. Implementations that cannot completely disable the timeout MUST
- instead interpret the zero duration as the longest possible value to which
- the timeout can be set.
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
- An entire client HTTP transaction with a gateway, covered by the Request timeout,
- may result in more than one call from the gateway to the destination backend,
- for example, if automatic retries are supported.
- The value of BackendRequest must be a Gateway API Duration string as defined by
- GEP-2257. When this field is unspecified, its behavior is implementation-specific;
- when specified, the value of BackendRequest must be no more than the value of the
- Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- request:
- description: |-
- Request specifies the maximum duration for a gateway to respond to an HTTP request.
- If the gateway has not been able to respond before this deadline is met, the gateway
- MUST return a timeout error.
+ Defaults to "Service" when not specified.
- For example, setting the `rules.timeouts.request` field to the value `10s` in an
- `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
- to complete.
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
- Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
- completely. Implementations that cannot completely disable the timeout MUST
- instead interpret the zero duration as the longest possible value to which
- the timeout can be set.
+ Support: Core (Services with a type other than ExternalName)
- This timeout is intended to cover as close to the whole request-response transaction
- as possible although an implementation MAY choose to start the timeout after the entire
- request stream has been received instead of immediately after the transaction is
- initiated by the client.
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
- The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
- field is unspecified, request timeout behavior is implementation-specific.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Support: Extended
- pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
- type: string
- type: object
- x-kubernetes-validations:
- - message: backendRequest timeout cannot be longer than request
- timeout
- rule: '!(has(self.request) && has(self.backendRequest) &&
- duration(self.request) != duration(''0s'') && duration(self.backendRequest)
- > duration(self.request))'
- type: object
- x-kubernetes-validations:
- - message: RequestRedirect filter must not be used together with
- backendRefs
- rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ?
- (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))):
- true'
- - message: When using RequestRedirect filter with path.replacePrefixMatch,
- exactly one PathPrefix match must be specified
- rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect)
- && has(f.requestRedirect.path) && f.requestRedirect.path.type
- == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
- ? ((size(self.matches) != 1 || !has(self.matches[0].path) ||
- self.matches[0].path.type != ''PathPrefix'') ? false : true)
- : true'
- - message: When using URLRewrite filter with path.replacePrefixMatch,
- exactly one PathPrefix match must be specified
- rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite)
- && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
- && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches)
- != 1 || !has(self.matches[0].path) || self.matches[0].path.type
- != ''PathPrefix'') ? false : true) : true'
- - message: Within backendRefs, when using RequestRedirect filter
- with path.replacePrefixMatch, exactly one PathPrefix match must
- be specified
- rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
- (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect)
- && has(f.requestRedirect.path) && f.requestRedirect.path.type
- == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch)))
- )) ? ((size(self.matches) != 1 || !has(self.matches[0].path)
- || self.matches[0].path.type != ''PathPrefix'') ? false : true)
- : true'
- - message: Within backendRefs, When using URLRewrite filter with
- path.replacePrefixMatch, exactly one PathPrefix match must be
- specified
- rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b,
- (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite)
- && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch''
- && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches)
- != 1 || !has(self.matches[0].path) || self.matches[0].path.type
- != ''PathPrefix'') ? false : true) : true'
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ description: |-
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - backendRefs
+ type: object
maxItems: 16
+ minItems: 1
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- - message: While 16 rules and 64 matches per rule are allowed, the
- total number of matches across all rules in a route must be less
- than 128
- rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
- > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
- : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
- > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
- : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
- > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
- : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
- > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
- : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
- > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
- : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
- message: Rule name must be unique within the route
rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
&& l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
+ required:
+ - rules
type: object
status:
- description: Status defines the current state of HTTPRoute.
+ description: Status defines the current state of TCPRoute.
properties:
parents:
description: |-
@@ -13356,234 +16596,43 @@ spec:
Implementations MAY choose to support attaching Routes to other resources.
If that is the case, they MUST clearly document how SectionName is
- interpreted.
-
- When unspecified (empty string), this will reference the entire resource.
- For the purpose of status, an attachment is considered successful if at
- least one section in the parent resource accepts it. For example, Gateway
- listeners can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
- the referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from this Route, the
- Route MUST be considered detached from the Gateway.
-
- Support: Core
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- required:
- - controllerName
- - parentRef
- type: object
- maxItems: 32
- type: array
- required:
- - parents
- type: object
- required:
- - spec
- type: object
- served: true
- storage: false
- subresources:
- status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
-# config/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
- gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- name: referencegrants.gateway.networking.k8s.io
-spec:
- group: gateway.networking.k8s.io
- names:
- categories:
- - gateway-api
- kind: ReferenceGrant
- listKind: ReferenceGrantList
- plural: referencegrants
- shortNames:
- - refgrant
- singular: referencegrant
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: |-
- ReferenceGrant identifies kinds of resources in other namespaces that are
- trusted to reference the specified kinds of resources in the same namespace
- as the policy.
-
- Each ReferenceGrant can be used to represent a unique trust relationship.
- Additional Reference Grants can be used to add to the set of trusted
- sources of inbound references for the namespace they are defined within.
-
- All cross-namespace references in Gateway API (with the exception of cross-namespace
- Gateway-route attachment) require a ReferenceGrant.
-
- ReferenceGrant is a form of runtime verification allowing users to assert
- which cross-namespace object references are permitted. Implementations that
- support ReferenceGrant MUST NOT permit cross-namespace references which have
- no grant, and MUST respond to the removal of a grant by revoking the access
- that the grant allowed.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of ReferenceGrant.
- properties:
- from:
- description: |-
- From describes the trusted namespaces and kinds that can reference the
- resources described in "To". Each entry in this list MUST be considered
- to be an additional place that references can be valid from, or to put
- this another way, entries MUST be combined using OR.
-
- Support: Core
- items:
- description: ReferenceGrantFrom describes trusted namespaces and
- kinds.
- properties:
- group:
- description: |-
- Group is the group of the referent.
- When empty, the Kubernetes core API group is inferred.
-
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: |-
- Kind is the kind of the referent. Although implementations may support
- additional resources, the following types are part of the "Core"
- support level for this field.
-
- When used to permit a SecretObjectReference:
-
- * Gateway
-
- When used to permit a BackendObjectReference:
-
- * GRPCRoute
- * HTTPRoute
- * TCPRoute
- * TLSRoute
- * UDPRoute
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referent.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - namespace
- type: object
- maxItems: 16
- minItems: 1
- type: array
- to:
- description: |-
- To describes the resources that may be referenced by the resources
- described in "From". Each entry in this list MUST be considered to be an
- additional place that references can be valid to, or to put this another
- way, entries MUST be combined using OR.
-
- Support: Core
- items:
- description: |-
- ReferenceGrantTo describes what Kinds are allowed as targets of the
- references.
- properties:
- group:
- description: |-
- Group is the group of the referent.
- When empty, the Kubernetes core API group is inferred.
-
- Support: Core
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: |-
- Kind is the kind of the referent. Although implementations may support
- additional resources, the following types are part of the "Core"
- support level for this field:
+ interpreted.
- * Secret when used to permit a SecretObjectReference
- * Service when used to permit a BackendObjectReference
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: |-
- Name is the name of the referent. When unspecified, this policy
- refers to all resources of the specified Group and Kind in the local
- namespace.
- maxLength: 253
- minLength: 1
- type: string
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
required:
- - group
- - kind
+ - conditions
+ - controllerName
+ - parentRef
type: object
- maxItems: 16
- minItems: 1
+ maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
required:
- - from
- - to
+ - parents
type: object
+ required:
+ - spec
type: object
served: true
storage: true
- subresources: {}
+ subresources:
+ status: {}
status:
acceptedNames:
kind: ""
@@ -13592,26 +16641,25 @@ status:
storedVersions: null
---
#
-# config/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml
+# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- name: tcproutes.gateway.networking.k8s.io
+ name: tlsroutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
- kind: TCPRoute
- listKind: TCPRouteList
- plural: tcproutes
- singular: tcproute
+ kind: TLSRoute
+ listKind: TLSRouteList
+ plural: tlsroutes
+ singular: tlsroute
scope: Namespaced
versions:
- additionalPrinterColumns:
@@ -13622,9 +16670,12 @@ spec:
schema:
openAPIV3Schema:
description: |-
- TCPRoute provides a way to route TCP requests. When combined with a Gateway
- listener, it can be used to forward connections on the port specified by the
- listener to a set of backends specified by the TCPRoute.
+ The TLSRoute resource is similar to TCPRoute, but can be configured
+ to match against TLS-specific metadata. This allows more flexibility
+ in matching streams for a given TLS listener.
+
+ If you need to forward traffic to a single target for a TLS listener, you
+ could choose to use a TCPRoute with a TLS listener.
properties:
apiVersion:
description: |-
@@ -13644,8 +16695,66 @@ spec:
metadata:
type: object
spec:
- description: Spec defines the desired state of TCPRoute.
+ description: Spec defines the desired state of TLSRoute.
properties:
+ hostnames:
+ description: |-
+ Hostnames defines a set of SNI names that should match against the
+ SNI attribute of TLS ClientHello message in TLS handshake. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed in SNI names per RFC 6066.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and TLSRoute, there
+ must be at least one intersecting hostname for the TLSRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches TLSRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches TLSRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ If both the Listener and TLSRoute have specified hostnames, any
+ TLSRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ TLSRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and TLSRoute have specified hostnames, and none
+ match with the criteria above, then the TLSRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ Support: Core
+ items:
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
parentRefs:
description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
@@ -13858,6 +16967,7 @@ spec:
type: object
maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
@@ -13882,18 +16992,21 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: Rules are a list of TCP matchers and actions.
+ description: Rules are a list of TLS matchers and actions.
items:
- description: TCPRouteRule is the configuration for a given rule.
+ description: TLSRouteRule is the configuration for a given rule.
properties:
backendRefs:
description: |-
BackendRefs defines the backend(s) where matching requests should be
- sent. If unspecified or invalid (refers to a nonexistent resource or a
- Service with no endpoints), the underlying implementation MUST actively
- reject connection attempts to this backend. Connection rejections must
- respect weight; if an invalid backend is requested to have 80% of
- connections, then 80% of connections must be rejected instead.
+ sent. If unspecified or invalid (refers to a nonexistent resource or
+ a Service with no endpoints), the rule performs no forwarding; if no
+ filters are specified that would result in a response being sent, the
+ underlying implementation must actively reject request attempts to this
+ backend, by rejecting the connection or returning a 500 status code.
+ Request rejections must respect weight; if an invalid backend is
+ requested to have 80% of requests, then 80% of requests must be rejected
+ instead.
Support: Core for Kubernetes Service
@@ -14022,6 +17135,7 @@ spec:
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
name:
description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
@@ -14031,19 +17145,40 @@ spec:
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - backendRefs
type: object
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: Rule name must be unique within the route
rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
&& l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
required:
- rules
type: object
status:
- description: Status defines the current state of TCPRoute.
+ description: Status defines the current state of TLSRoute.
properties:
parents:
description: |-
@@ -14305,11 +17440,13 @@ spec:
- name
type: object
required:
+ - conditions
- controllerName
- parentRef
type: object
maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
required:
- parents
type: object
@@ -14317,44 +17454,14 @@ spec:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: null
- storedVersions: null
----
-#
-# config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
-#
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
- gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
- name: tlsroutes.gateway.networking.k8s.io
-spec:
- group: gateway.networking.k8s.io
- names:
- categories:
- - gateway-api
- kind: TLSRoute
- listKind: TLSRouteList
- plural: tlsroutes
- singular: tlsroute
- scope: Namespaced
- versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- name: v1alpha2
+ name: v1alpha3
schema:
openAPIV3Schema:
description: |-
@@ -14387,11 +17494,11 @@ spec:
properties:
hostnames:
description: |-
- Hostnames defines a set of SNI names that should match against the
+ Hostnames defines a set of SNI hostnames that should match against the
SNI attribute of TLS ClientHello message in TLS handshake. This matches
the RFC 1123 definition of a hostname with 2 notable exceptions:
- 1. IPs are not allowed in SNI names per RFC 6066.
+ 1. IPs are not allowed in SNI hostnames per RFC 6066.
2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
label must appear by itself as the first label.
@@ -14400,13 +17507,13 @@ spec:
attached to the Listener. For example:
* A Listener with `test.example.com` as the hostname matches TLSRoutes
- that have either not specified any hostnames, or have specified at
- least one of `test.example.com` or `*.example.com`.
+ that have specified at least one of `test.example.com` or
+ `*.example.com`.
* A Listener with `*.example.com` as the hostname matches TLSRoutes
- that have either not specified any hostnames or have specified at least
- one hostname that matches the Listener hostname. For example,
- `test.example.com` and `*.example.com` would both match. On the other
- hand, `example.com` and `test.example.net` would not match.
+ that have specified at least one hostname that matches the Listener
+ hostname. For example, `test.example.com` and `*.example.com` would both
+ match. On the other hand, `example.com` and `test.example.net` would not
+ match.
If both the Listener and TLSRoute have specified hostnames, any
TLSRoute hostnames that do not match the Listener hostname MUST be
@@ -14441,7 +17548,9 @@ spec:
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
maxItems: 16
+ minItems: 1
type: array
+ x-kubernetes-list-type: atomic
parentRefs:
description: |-
ParentRefs references the resources (usually Gateways) that a Route wants
@@ -14654,6 +17763,7 @@ spec:
type: object
maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
@@ -14678,7 +17788,7 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: Rules are a list of TLS matchers and actions.
+ description: Rules are a list of actions.
items:
description: TLSRouteRule is the configuration for a given rule.
properties:
@@ -14821,6 +17931,7 @@ spec:
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
name:
description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
@@ -14830,15 +17941,37 @@ spec:
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - backendRefs
type: object
- maxItems: 16
+ maxItems: 1
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: Rule name must be unique within the route
rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
&& l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
required:
+ - hostnames
- rules
type: object
status:
@@ -15104,11 +18237,13 @@ spec:
- name
type: object
required:
+ - conditions
- controllerName
- parentRef
type: object
maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
required:
- parents
type: object
@@ -15134,9 +18269,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
name: udproutes.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
@@ -15393,6 +18527,7 @@ spec:
type: object
maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: sectionName or port must be specified when parentRefs includes
2 or more references to the same parent
@@ -15557,6 +18692,7 @@ spec:
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
name:
description: |-
Name is the name of the route rule. This name MUST be unique within a Route if it is set.
@@ -15566,14 +18702,35 @@ spec:
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
+ required:
+ - backendRefs
type: object
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-list-type: atomic
x-kubernetes-validations:
- message: Rule name must be unique within the route
rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
&& l1.name == l2.name))
+ useDefaultGateways:
+ description: |-
+ UseDefaultGateways indicates the default Gateway scope to use for this
+ Route. If unset (the default) or set to None, the Route will not be
+ attached to any default Gateway; if set, it will be attached to any
+ default Gateway supporting the named scope, subject to the usual rules
+ about which Routes a Gateway is allowed to claim.
+
+ Think carefully before using this functionality! The set of default
+ Gateways supporting the requested scope can change over time without
+ any notice to the Route author, and in many situations it will not be
+ appropriate to request a default Gateway for a given Route -- for
+ example, a Route with specific security requirements should almost
+ certainly not use a default Gateway.
+ enum:
+ - All
+ - None
+ type: string
required:
- rules
type: object
@@ -15840,11 +18997,13 @@ spec:
- name
type: object
required:
+ - conditions
- controllerName
- parentRef
type: object
maxItems: 32
type: array
+ x-kubernetes-list-type: atomic
required:
- parents
type: object
@@ -15870,9 +19029,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
labels:
gateway.networking.k8s.io/policy: Direct
name: xbackendtrafficpolicies.gateway.networking.x-k8s.io
@@ -16450,10 +19608,12 @@ spec:
type: string
required:
- ancestorRef
+ - conditions
- controllerName
type: object
maxItems: 16
type: array
+ x-kubernetes-list-type: atomic
required:
- ancestors
type: object
@@ -16479,9 +19639,8 @@ kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
- gateway.networking.k8s.io/bundle-version: v1.3.0
+ gateway.networking.k8s.io/bundle-version: v1.4.1
gateway.networking.k8s.io/channel: experimental
- creationTimestamp: null
name: xlistenersets.gateway.networking.x-k8s.io
spec:
group: gateway.networking.x-k8s.io
@@ -16510,8 +19669,33 @@ spec:
schema:
openAPIV3Schema:
description: |-
- XListenerSet defines a set of additional listeners
- to attach to an existing Gateway.
+ XListenerSet defines a set of additional listeners to attach to an existing Gateway.
+ This resource provides a mechanism to merge multiple listeners into a single Gateway.
+
+ The parent Gateway must explicitly allow ListenerSet attachment through its
+ AllowedListeners configuration. By default, Gateways do not allow ListenerSet
+ attachment.
+
+ Routes can attach to a ListenerSet by specifying it as a parentRef, and can
+ optionally target specific listeners using the sectionName field.
+
+ Policy Attachment:
+ - Policies that attach to a ListenerSet apply to all listeners defined in that resource
+ - Policies do not impact listeners in the parent Gateway
+ - Different ListenerSets attached to the same Gateway can have different policies
+ - If an implementation cannot apply a policy to specific listeners, it should reject the policy
+
+ ReferenceGrant Semantics:
+ - ReferenceGrants applied to a Gateway are not inherited by child ListenerSets
+ - ReferenceGrants applied to a ListenerSet do not grant permission to the parent Gateway's listeners
+ - A ListenerSet can reference secrets/backends in its own namespace without a ReferenceGrant
+
+ Gateway Integration:
+ - The parent Gateway's status will include an "AttachedListenerSets" condition
+ - This condition will be:
+ - True: when AllowedListeners is set and at least one child ListenerSet is attached
+ - False: when AllowedListeners is set but no valid listeners are attached, or when AllowedListeners is not set or false
+ - Unknown: when no AllowedListeners config is present
properties:
apiVersion:
description: |-
@@ -16549,10 +19733,10 @@ spec:
1. "parent" Gateway
2. ListenerSet ordered by creation time (oldest first)
- 3. ListenerSet ordered alphabetically by “{namespace}/{name}”.
+ 3. ListenerSet ordered alphabetically by "{namespace}/{name}".
An implementation MAY reject listeners by setting the ListenerEntryStatus
- `Accepted`` condition to False with the Reason `TooManyListeners`
+ `Accepted` condition to False with the Reason `TooManyListeners`
If a listener has a conflict, this will be reported in the
Status.ListenerEntryStatus setting the `Conflicted` condition to True.
@@ -16625,6 +19809,7 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
namespaces:
default:
from: Same
@@ -16747,12 +19932,18 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
+ default: 0
description: |-
Port is the network port. Multiple listeners may use the
same port, subject to the Listener compatibility rules.
+
+ If the port is not set or specified as zero, the implementation will assign
+ a unique port. If the implementation does not support dynamic port
+ assignment, it MUST set `Accepted` condition to `False` with the
+ `UnsupportedPort` reason.
format: int32
maximum: 65535
- minimum: 1
+ minimum: 0
type: integer
protocol:
description: Protocol specifies the network protocol this listener
@@ -16767,7 +19958,7 @@ spec:
the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
if the Protocol field is "HTTP", "TCP", or "UDP".
- The association of SNIs to Certificate defined in GatewayTLSConfig is
+ The association of SNIs to Certificate defined in ListenerTLSConfig is
defined based on the Hostname field for this listener.
The GatewayClass MUST use the longest matching SNI out of all
@@ -16830,115 +20021,29 @@ spec:
name:
description: Name is the name of the referent.
maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
-
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
-
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- maxItems: 64
- type: array
- frontendValidation:
- description: |-
- FrontendValidation holds configuration information for validating the frontend (client).
- Setting this field will require clients to send a client certificate
- required for validation during the TLS handshake. In browsers this may result in a dialog appearing
- that requests a user to specify the client certificate.
- The maximum depth of a certificate chain accepted in verification is Implementation specific.
-
- Support: Extended
- properties:
- caCertificateRefs:
- description: |-
- CACertificateRefs contains one or more references to
- Kubernetes objects that contain TLS certificates of
- the Certificate Authorities that can be used
- as a trust anchor to validate the certificates presented by the client.
-
- A single CA certificate reference to a Kubernetes ConfigMap
- has "Core" support.
- Implementations MAY choose to support attaching multiple CA certificates to
- a Listener, but this behavior is implementation-specific.
-
- Support: Core - A single reference to a Kubernetes ConfigMap
- with the CA certificate in a key named `ca.crt`.
-
- Support: Implementation-specific (More than one reference, or other kinds
- of resources).
-
- References to a resource in a different namespace are invalid UNLESS there
- is a ReferenceGrant in the target namespace that allows the certificate
- to be attached. If a ReferenceGrant does not allow this reference, the
- "ResolvedRefs" condition MUST be set to False for this listener with the
- "RefNotPermitted" reason.
- items:
- description: |-
- ObjectReference identifies an API object including its namespace.
-
- The API object must be valid in the cluster; the Group and Kind must
- be registered in the cluster for this reference to be valid.
-
- References to objects with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate Conditions set
- on the containing object.
- properties:
- group:
- description: |-
- Group is the group of the referent. For example, "gateway.networking.k8s.io".
- When set to the empty string, core API group is inferred.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the referent. For
- example "ConfigMap" or "Service".
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent.
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- description: |-
- Namespace is the namespace of the referenced object. When unspecified, the local
- namespace is inferred.
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
- Note that when a namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace to allow that
- namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details.
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
- Support: Core
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 8
- minItems: 1
- type: array
- type: object
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-type: atomic
mode:
default: Terminate
description: |-
@@ -16990,7 +20095,6 @@ spec:
> 0 || size(self.options) > 0 : true'
required:
- name
- - port
- protocol
type: object
maxItems: 64
@@ -17290,6 +20394,7 @@ spec:
type: object
maxItems: 8
type: array
+ x-kubernetes-list-type: atomic
required:
- attachedRoutes
- conditions
@@ -17316,3 +20421,255 @@ status:
plural: ""
conditions: null
storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.x-k8s.io_xmeshes.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.4.1
+ gateway.networking.k8s.io/channel: experimental
+ name: xmeshes.gateway.networking.x-k8s.io
+spec:
+ group: gateway.networking.x-k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: XMesh
+ listKind: XMeshList
+ plural: xmeshes
+ shortNames:
+ - mesh
+ singular: xmesh
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: XMesh defines mesh-wide characteristics of a GAMMA-compliant
+ service mesh.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of XMesh.
+ properties:
+ controllerName:
+ description: |-
+ ControllerName is the name of a controller that is managing Gateway API
+ resources for mesh traffic management. The value of this field MUST be a
+ domain prefixed path.
+
+ Example: "example.com/awesome-mesh".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
+ description:
+ description: Description optionally provides a human-readable description
+ of a Mesh.
+ maxLength: 64
+ type: string
+ parametersRef:
+ description: |-
+ ParametersRef is an optional reference to a resource that contains
+ implementation-specific configuration for this Mesh. If no
+ implementation-specific parameters are needed, this field MUST be
+ omitted.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e.
+ ConfigMap, or an implementation-specific custom resource. The resource
+ can be cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the Mesh MUST be rejected
+ with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - controllerName
+ type: object
+ status:
+ default:
+ conditions:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ description: Status defines the current state of XMesh.
+ properties:
+ conditions:
+ default:
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Accepted
+ - lastTransitionTime: "1970-01-01T00:00:00Z"
+ message: Waiting for controller
+ reason: Pending
+ status: Unknown
+ type: Programmed
+ description: |-
+ Conditions is the current status from the controller for
+ this Mesh.
+
+ Controllers should prefer to publish conditions using values
+ of MeshConditionType for the type of each Condition.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ supportedFeatures:
+ description: |-
+ SupportedFeatures is the set of features the Mesh support.
+ It MUST be sorted in ascending alphabetical order by the Name key.
+ items:
+ properties:
+ name:
+ description: |-
+ FeatureName is used to describe distinct features that are covered by
+ conformance tests.
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 64
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_backends.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_backends.yaml
new file mode 100644
index 00000000..010cd3b9
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_backends.yaml
@@ -0,0 +1,476 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: backends.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: Backend
+ listKind: BackendList
+ plural: backends
+ shortNames:
+ - be
+ singular: backend
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].reason
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Backend allows the user to configure the endpoints of a backend and
+ the behavior of the connection from Envoy Proxy to the backend.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Backend.
+ properties:
+ appProtocols:
+ description: AppProtocols defines the application protocols to be
+ supported when connecting to the backend.
+ items:
+ description: AppProtocolType defines various backend applications
+ protocols supported by Envoy Gateway
+ enum:
+ - gateway.envoyproxy.io/h2c
+ - gateway.envoyproxy.io/ws
+ - gateway.envoyproxy.io/wss
+ type: string
+ type: array
+ endpoints:
+ description: Endpoints defines the endpoints to be used when connecting
+ to the backend.
+ items:
+ description: |-
+ BackendEndpoint describes a backend endpoint, which can be either a fully-qualified domain name, IP address or unix domain socket
+ corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address
+ properties:
+ fqdn:
+ description: FQDN defines a FQDN endpoint
+ properties:
+ hostname:
+ description: Hostname defines the FQDN hostname of the backend
+ endpoint.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ port:
+ description: Port defines the port of the backend endpoint.
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ required:
+ - hostname
+ - port
+ type: object
+ hostname:
+ description: Hostname defines an optional hostname for the backend
+ endpoint.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ ip:
+ description: IP defines an IP endpoint. Supports both IPv4 and
+ IPv6 addresses.
+ properties:
+ address:
+ description: |-
+ Address defines the IP address of the backend endpoint.
+ Supports both IPv4 and IPv6 addresses.
+ maxLength: 45
+ minLength: 3
+ pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$
+ type: string
+ port:
+ description: Port defines the port of the backend endpoint.
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ required:
+ - address
+ - port
+ type: object
+ unix:
+ description: Unix defines the unix domain socket endpoint
+ properties:
+ path:
+ description: |-
+ Path defines the unix domain socket path of the backend endpoint.
+ The path length must not exceed 108 characters.
+ type: string
+ x-kubernetes-validations:
+ - message: unix domain socket path must not exceed 108 characters
+ rule: size(self) <= 108
+ required:
+ - path
+ type: object
+ zone:
+ description: Zone defines the service zone of the backend endpoint.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: one of fqdn, ip or unix must be specified
+ rule: (has(self.fqdn) || has(self.ip) || has(self.unix))
+ - message: only one of fqdn, ip or unix can be specified
+ rule: ((has(self.fqdn) && !(has(self.ip) || has(self.unix))) ||
+ (has(self.ip) && !(has(self.fqdn) || has(self.unix))) || (has(self.unix)
+ && !(has(self.ip) || has(self.fqdn))))
+ maxItems: 256
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: fqdn addresses cannot be mixed with other address types
+ rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn))
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ tls:
+ description: |-
+ TLS defines the TLS settings for the backend.
+ If TLS is specified here and a BackendTLSPolicy is also configured for the backend, the final TLS settings will
+ be a merge of both configurations. In case of overlapping fields, the values defined in the BackendTLSPolicy will
+ take precedence.
+ properties:
+ alpnProtocols:
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener or used by the proxy to connect to the backend.
+ Defaults:
+ 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+ 2. Other Routes: ALPN is disabled.
+ 3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+ When an empty list is provided, the ALPN TLS extension is disabled.
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
+ items:
+ description: ALPNProtocol specifies the protocol to be negotiated
+ using ALPN
+ type: string
+ type: array
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to Kubernetes objects that
+ contain TLS certificates of the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the backend.
+
+ A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+ with the CA certificate in a key named `ca.crt` is currently supported.
+
+ If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+ specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+ not both.
+ items:
+ description: |-
+ LocalObjectReference identifies an API object within the namespace of the
+ referrer.
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example "HTTPRoute"
+ or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ type: array
+ ciphers:
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ items:
+ type: string
+ type: array
+ clientCertificateRef:
+ description: |-
+ ClientCertificateRef defines the reference to a Kubernetes Secret that contains
+ the client certificate and private key for Envoy to use when connecting to
+ backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+ This secret should be located within the same namespace as the Envoy proxy resource that references it.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ ecdhCurves:
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
+ items:
+ type: string
+ type: array
+ insecureSkipVerify:
+ default: false
+ description: |-
+ InsecureSkipVerify indicates whether the upstream's certificate verification
+ should be skipped. Defaults to "false".
+ type: boolean
+ maxVersion:
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ minVersion:
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ signatureAlgorithms:
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
+ items:
+ type: string
+ type: array
+ sni:
+ description: |-
+ SNI is specifies the SNI value used when establishing an upstream TLS connection to the backend.
+
+ Envoy Gateway will use the HTTP host header value for SNI, when all resources referenced in BackendRefs are:
+ 1. Backend resources that do not set SNI, or
+ 2. Service/ServiceImport resources that do not have a BackendTLSPolicy attached to them
+
+ When a BackendTLSPolicy attaches to a Backend resource, the BackendTLSPolicy's Hostname value takes precedence
+ over this value.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ wellKnownCACertificates:
+ description: |-
+ WellKnownCACertificates specifies whether system CA certificates may be used in
+ the TLS handshake between the gateway and backend pod.
+
+ If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+ must be specified with at least one entry for a valid configuration. Only one of
+ CACertificateRefs or WellKnownCACertificates may be specified, not both.
+ enum:
+ - System
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: must not contain both CACertificateRefs and WellKnownCACertificates
+ rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")'
+ - message: must not contain either CACertificateRefs or WellKnownCACertificates
+ when InsecureSkipVerify is enabled
+ rule: '!((has(self.insecureSkipVerify) && self.insecureSkipVerify)
+ && ((has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0) || (has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")))'
+ - message: setting ciphers has no effect if the minimum possible TLS
+ version is 1.3
+ rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
+ : true'
+ - message: minVersion must be smaller or equal to maxVersion
+ rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
+ <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : true'
+ type:
+ default: Endpoints
+ description: Type defines the type of the backend. Defaults to "Endpoints"
+ enum:
+ - Endpoints
+ - DynamicResolver
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: DynamicResolver type cannot have endpoints specified
+ rule: self.type != 'DynamicResolver' || !has(self.endpoints)
+ status:
+ description: Status defines the current status of Backend.
+ properties:
+ conditions:
+ description: Conditions describe the current conditions of the Backend.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
new file mode 100644
index 00000000..0e5b09c8
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -0,0 +1,2979 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: backendtrafficpolicies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: BackendTrafficPolicy
+ listKind: BackendTrafficPolicyList
+ plural: backendtrafficpolicies
+ shortNames:
+ - btp
+ singular: backendtrafficpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ BackendTrafficPolicy allows the user to configure the behavior of the connection
+ between the Envoy Proxy listener and the backend service.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: spec defines the desired state of BackendTrafficPolicy.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that Envoy will
+ establish to the referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests that Envoy
+ will make to the referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries that Envoy
+ will make to the referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests that Envoy
+ will queue to the referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers that will apply
+ per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum number
+ of connections that Envoy will establish per-endpoint to
+ the referenced backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ compression:
+ description: |-
+ The compression config for the http streams.
+ Deprecated: Use Compressor instead.
+ items:
+ description: |-
+ Compression defines the config of enabling compression.
+ This can help reduce the bandwidth at the expense of higher CPU.
+ properties:
+ brotli:
+ description: The configuration for Brotli compressor.
+ type: object
+ gzip:
+ description: The configuration for GZIP compressor.
+ type: object
+ minContentLength:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ MinContentLength defines the minimum response size in bytes to apply compression.
+ Responses smaller than this threshold will not be compressed.
+ Must be at least 30 bytes as enforced by Envoy Proxy.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ Default: 30 bytes
+ x-kubernetes-int-or-string: true
+ type:
+ description: CompressorType defines the compressor type to use
+ for compression.
+ enum:
+ - Gzip
+ - Brotli
+ - Zstd
+ type: string
+ zstd:
+ description: The configuration for Zstd compressor.
+ type: object
+ required:
+ - type
+ type: object
+ type: array
+ compressor:
+ description: |-
+ The compressor config for the http streams.
+ This provides more granular control over compression configuration.
+ Order matters: The first compressor in the list is preferred when q-values in Accept-Encoding are equal.
+ items:
+ description: |-
+ Compression defines the config of enabling compression.
+ This can help reduce the bandwidth at the expense of higher CPU.
+ properties:
+ brotli:
+ description: The configuration for Brotli compressor.
+ type: object
+ gzip:
+ description: The configuration for GZIP compressor.
+ type: object
+ minContentLength:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ MinContentLength defines the minimum response size in bytes to apply compression.
+ Responses smaller than this threshold will not be compressed.
+ Must be at least 30 bytes as enforced by Envoy Proxy.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ Default: 30 bytes
+ x-kubernetes-int-or-string: true
+ type:
+ description: CompressorType defines the compressor type to use
+ for compression.
+ enum:
+ - Gzip
+ - Brotli
+ - Zstd
+ type: string
+ zstd:
+ description: The configuration for Zstd compressor.
+ type: object
+ required:
+ - type
+ type: object
+ type: array
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ faultInjection:
+ description: |-
+ FaultInjection defines the fault injection policy to be applied. This configuration can be used to
+ inject delays and abort requests to mimic failure scenarios such as service failures and overloads
+ properties:
+ abort:
+ description: If specified, the request will be aborted if it meets
+ the configuration criteria.
+ properties:
+ grpcStatus:
+ description: GrpcStatus specifies the GRPC status code to
+ be returned
+ format: int32
+ type: integer
+ httpStatus:
+ description: StatusCode specifies the HTTP status code to
+ be returned
+ format: int32
+ maximum: 600
+ minimum: 200
+ type: integer
+ percentage:
+ default: 100
+ description: Percentage specifies the percentage of requests
+ to be aborted. Default 100%, if set 0, no requests will
+ be aborted. Accuracy to 0.0001%.
+ type: number
+ type: object
+ x-kubernetes-validations:
+ - message: httpStatus and grpcStatus cannot be simultaneously
+ defined.
+ rule: ' !(has(self.httpStatus) && has(self.grpcStatus)) '
+ - message: httpStatus and grpcStatus are set at least one.
+ rule: ' has(self.httpStatus) || has(self.grpcStatus) '
+ delay:
+ description: If specified, a delay will be injected into the request.
+ properties:
+ fixedDelay:
+ description: FixedDelay specifies the fixed delay duration
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ percentage:
+ default: 100
+ description: Percentage specifies the percentage of requests
+ to be delayed. Default 100%, if set 0, no requests will
+ be delayed. Accuracy to 0.0001%.
+ type: number
+ required:
+ - fixedDelay
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: Delay and abort faults are set at least one.
+ rule: ' has(self.delay) || has(self.abort) '
+ healthCheck:
+ description: HealthCheck allows gateway to perform active health checking
+ on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number of healthy
+ health checks required before a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list of HTTP expected
+ responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field needs to
+ be set.
+ rule: 'self.type == ''Text'' ? has(self.text) : !has(self.text)'
+ - message: If payload type is Binary, binary field needs
+ to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary) :
+ !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that will be requested
+ during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between active health
+ checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field needs to
+ be set.
+ rule: 'self.type == ''Text'' ? has(self.text) : !has(self.text)'
+ - message: If payload type is Binary, binary field needs
+ to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary) :
+ !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field needs to
+ be set.
+ rule: 'self.type == ''Text'' ? has(self.text) : !has(self.text)'
+ - message: If payload type is Binary, binary field needs
+ to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary) :
+ !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait for a health
+ check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number of unhealthy
+ health checks required before a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field needs to
+ be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) : !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field needs to be
+ set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health Checker
+ type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base duration for
+ which a host will be ejected on consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number of consecutive
+ 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets the number of consecutive
+ gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between passive health
+ checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum percentage
+ of hosts in a cluster that can be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables splitting
+ of errors between external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ httpUpgrade:
+ description: |-
+ HTTPUpgrade defines the configuration for HTTP protocol upgrades.
+ If not specified, the default upgrade configuration(websocket) will be used.
+ items:
+ description: ProtocolUpgradeConfig specifies the configuration for
+ protocol upgrades.
+ properties:
+ connect:
+ description: |-
+ Connect specifies the configuration for the CONNECT config.
+ This is allowed only when type is CONNECT.
+ properties:
+ terminate:
+ description: Terminate the CONNECT request, and forwards
+ the payload as raw TCP data.
+ type: boolean
+ type: object
+ type:
+ description: |-
+ Type is the case-insensitive type of protocol upgrade.
+ e.g. `websocket`, `CONNECT`, `spdy/3.1` etc.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: The connect configuration is only allowed when the type
+ is CONNECT.
+ rule: '!has(self.connect) || self.type == ''CONNECT'''
+ type: array
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash policy when
+ the consistent hash type is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header hash policy for
+ each header, when the consistent hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the query parameter hash
+ policy when the consistent hash type is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the header field
+ must be set.
+ rule: 'self.type == ''Header'' ? has(self.header) : !has(self.header)'
+ - message: If consistent hash type is headers, the headers field
+ must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers) : !has(self.headers)'
+ - message: If consistent hash type is cookie, the cookie field
+ must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie) : !has(self.cookie)'
+ - message: If consistent hash type is queryParams, the queryParams
+ field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to extract endpoint
+ override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines a source
+ to extract endpoint override information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related to the
+ distribution of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware routing
+ to prefer sending traffic to the local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the minimum number
+ of total upstream endpoints across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of requests that will
+ be considered for zone aware routing if zone aware routing
+ is configured. If not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin and
+ LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash''] ? !has(self.slowStart)
+ : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware) :
+ true '
+ mergeType:
+ description: |-
+ MergeType determines how this configuration is merged with existing BackendTrafficPolicy
+ configurations targeting a parent resource. When set, this configuration will be merged
+ into a parent BackendTrafficPolicy (i.e. the one targeting a Gateway or Listener).
+ This field cannot be set when targeting a parent resource (Gateway).
+ If unset, no merging occurs, and only the most specific configuration takes effect.
+ type: string
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol when communicating
+ with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ rateLimit:
+ description: |-
+ RateLimit allows the user to limit the number of incoming requests
+ to a predefined value based on attributes within the traffic flow.
+ properties:
+ global:
+ description: Global defines global rate limit configuration.
+ properties:
+ rules:
+ description: |-
+ Rules are a list of RateLimit selectors and limits. Each rule and its
+ associated limit is applied in a mutually exclusive way. If a request
+ matches multiple rules, each of their associated limits get applied, so a
+ single request might increase the rate limit counters for multiple rules
+ if selected. The rate limit service will return a logical OR of the individual
+ rate limit decisions of all matching rules. For example, if a request
+ matches two rules, one rate limited and one not, the final decision will be
+ to rate limit the request.
+ items:
+ description: |-
+ RateLimitRule defines the semantics for matching attributes
+ from the incoming requests, and setting limits for them.
+ properties:
+ clientSelectors:
+ description: |-
+ ClientSelectors holds the list of select conditions to select
+ specific clients using attributes from the traffic flow.
+ All individual select conditions must hold True for this rule
+ and its limit to be applied.
+
+ If no client selectors are specified, the rule applies to all traffic of
+ the targeted Route.
+
+ If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+ Please note that each Route has its own rate limit counters. For example,
+ if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+ each Route will have its own 10rps limit.
+ items:
+ description: |-
+ RateLimitSelectCondition specifies the attributes within the traffic flow that can
+ be used to select a subset of clients to be ratelimited.
+ All the individual conditions must hold True for the overall condition to hold True.
+ And, at least one of headers or methods or path or sourceCIDR or queryParams condition must be specified.
+ properties:
+ headers:
+ description: |-
+ Headers is a list of request headers to match. Multiple header values are ANDed together,
+ meaning, a request MUST match all the specified headers.
+ items:
+ description: HeaderMatch defines the match attributes
+ within the HTTP Headers of the request.
+ properties:
+ invert:
+ default: false
+ description: |-
+ Invert specifies whether the value match result will be inverted.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
+ type: boolean
+ name:
+ description: |-
+ Name of the HTTP header.
+ The header name is case-insensitive unless PreserveHeaderCase is set to true.
+ For example, "Foo" and "foo" are considered the same header.
+ maxLength: 256
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match
+ against the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ - Distinct
+ type: string
+ value:
+ description: |-
+ Value within the HTTP header.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
+ maxLength: 1024
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ methods:
+ description: |-
+ Methods is a list of request methods to match. Multiple method values are ORed together,
+ meaning, a request can match any one of the specified methods. If not specified, it matches all methods.
+ items:
+ description: MethodMatch defines the matching
+ criteria for the HTTP method of a request.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ value:
+ description: Value specifies the HTTP method.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ path:
+ description: |-
+ Path is the request path to match.
+ Support Exact, PathPrefix and RegularExpression match types.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ type:
+ default: PathPrefix
+ description: Type specifies how to match against
+ the value of the path.
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value specifies the HTTP path.
+ maxLength: 1024
+ type: string
+ required:
+ - value
+ type: object
+ queryParams:
+ description: |-
+ QueryParams is a list of query parameters to match. Multiple query parameter values are ANDed together,
+ meaning, a request MUST match all the specified query parameters.
+ items:
+ description: QueryParamMatch defines the match
+ attributes within the query parameters of
+ the request.
+ properties:
+ invert:
+ default: false
+ description: |-
+ Invert specifies whether the value match result will be inverted.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the query parameter.
+ type: boolean
+ name:
+ description: Name of the query parameter.
+ maxLength: 256
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match
+ against the value of the query parameter.
+ enum:
+ - Exact
+ - RegularExpression
+ - Distinct
+ type: string
+ value:
+ description: |-
+ Value of the query parameter.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the query parameter.
+ maxLength: 1024
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ sourceCIDR:
+ description: SourceCIDR is the client IP Address
+ range to match on.
+ properties:
+ type:
+ default: Exact
+ enum:
+ - Exact
+ - Distinct
+ type: string
+ value:
+ description: |-
+ Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+ These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
+ For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
+ maxLength: 256
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: at least one of headers, methods, path,
+ sourceCIDR or queryParams must be specified
+ rule: has(self.headers) || has(self.methods) ||
+ has(self.path) || has(self.sourceCIDR) || has(self.queryParams)
+ maxItems: 8
+ type: array
+ cost:
+ description: |-
+ Cost specifies the cost of requests and responses for the rule.
+
+ This is optional and if not specified, the default behavior is to reduce the rate limit counters by 1 on
+ the request path and do not reduce the rate limit counters on the response path.
+ properties:
+ request:
+ description: |-
+ Request specifies the number to reduce the rate limit counters
+ on the request path. If this is not specified, the default behavior
+ is to reduce the rate limit counters by 1.
+
+ When Envoy receives a request that matches the rule, it tries to reduce the
+ rate limit counters by the specified number. If the counter doesn't have
+ enough capacity, the request is rate limited.
+ properties:
+ from:
+ description: From specifies where to get the
+ rate limit cost. Currently, only "Number"
+ and "Metadata" are supported.
+ enum:
+ - Number
+ - Metadata
+ type: string
+ metadata:
+ description: Metadata specifies the per-request
+ metadata to retrieve the usage number from.
+ properties:
+ key:
+ description: Key is the key to retrieve
+ the usage number from the filter metadata.
+ type: string
+ namespace:
+ description: Namespace is the namespace
+ of the dynamic metadata.
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ number:
+ description: |-
+ Number specifies the fixed usage number to reduce the rate limit counters.
+ Using zero can be used to only check the rate limit counters without reducing them.
+ format: int64
+ type: integer
+ required:
+ - from
+ type: object
+ x-kubernetes-validations:
+ - message: only one of number or metadata can be
+ specified
+ rule: '!(has(self.number) && has(self.metadata))'
+ response:
+ description: |-
+ Response specifies the number to reduce the rate limit counters
+ after the response is sent back to the client or the request stream is closed.
+
+ The cost is used to reduce the rate limit counters for the matching requests.
+ Since the reduction happens after the request stream is complete, the rate limit
+ won't be enforced for the current request, but for the subsequent matching requests.
+
+ This is optional and if not specified, the rate limit counters are not reduced
+ on the response path.
+
+ Currently, this is only supported for HTTP Global Rate Limits.
+ properties:
+ from:
+ description: From specifies where to get the
+ rate limit cost. Currently, only "Number"
+ and "Metadata" are supported.
+ enum:
+ - Number
+ - Metadata
+ type: string
+ metadata:
+ description: Metadata specifies the per-request
+ metadata to retrieve the usage number from.
+ properties:
+ key:
+ description: Key is the key to retrieve
+ the usage number from the filter metadata.
+ type: string
+ namespace:
+ description: Namespace is the namespace
+ of the dynamic metadata.
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ number:
+ description: |-
+ Number specifies the fixed usage number to reduce the rate limit counters.
+ Using zero can be used to only check the rate limit counters without reducing them.
+ format: int64
+ type: integer
+ required:
+ - from
+ type: object
+ x-kubernetes-validations:
+ - message: only one of number or metadata can be
+ specified
+ rule: '!(has(self.number) && has(self.metadata))'
+ type: object
+ limit:
+ description: |-
+ Limit holds the rate limit values.
+ This limit is applied for traffic flows when the selectors
+ compute to True, causing the request to be counted towards the limit.
+ The limit is enforced and the request is ratelimited, i.e. a response with
+ 429 HTTP status code is sent back to the client when
+ the selected requests have reached the limit.
+ properties:
+ requests:
+ type: integer
+ unit:
+ description: |-
+ RateLimitUnit specifies the intervals for setting rate limits.
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year".
+ enum:
+ - Second
+ - Minute
+ - Hour
+ - Day
+ - Month
+ - Year
+ type: string
+ required:
+ - requests
+ - unit
+ type: object
+ shadowMode:
+ description: |-
+ ShadowMode indicates whether this rate-limit rule runs in shadow mode.
+ When enabled, all rate-limiting operations are performed (cache lookups,
+ counter updates, telemetry generation), but the outcome is never enforced.
+ The request always succeeds, even if the configured limit is exceeded.
+
+ Only supported for Global Rate Limits.
+ type: boolean
+ shared:
+ description: |-
+ Shared determines whether this rate limit rule applies across all the policy targets.
+ If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
+ Default: false.
+ type: boolean
+ required:
+ - limit
+ type: object
+ maxItems: 128
+ type: array
+ required:
+ - rules
+ type: object
+ local:
+ description: Local defines local rate limit configuration.
+ properties:
+ rules:
+ description: |-
+ Rules are a list of RateLimit selectors and limits. If a request matches
+ multiple rules, the strictest limit is applied. For example, if a request
+ matches two rules, one with 10rps and one with 20rps, the final limit will
+ be based on the rule with 10rps.
+ items:
+ description: |-
+ RateLimitRule defines the semantics for matching attributes
+ from the incoming requests, and setting limits for them.
+ properties:
+ clientSelectors:
+ description: |-
+ ClientSelectors holds the list of select conditions to select
+ specific clients using attributes from the traffic flow.
+ All individual select conditions must hold True for this rule
+ and its limit to be applied.
+
+ If no client selectors are specified, the rule applies to all traffic of
+ the targeted Route.
+
+ If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+ Please note that each Route has its own rate limit counters. For example,
+ if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+ each Route will have its own 10rps limit.
+ items:
+ description: |-
+ RateLimitSelectCondition specifies the attributes within the traffic flow that can
+ be used to select a subset of clients to be ratelimited.
+ All the individual conditions must hold True for the overall condition to hold True.
+ And, at least one of headers or methods or path or sourceCIDR or queryParams condition must be specified.
+ properties:
+ headers:
+ description: |-
+ Headers is a list of request headers to match. Multiple header values are ANDed together,
+ meaning, a request MUST match all the specified headers.
+ items:
+ description: HeaderMatch defines the match attributes
+ within the HTTP Headers of the request.
+ properties:
+ invert:
+ default: false
+ description: |-
+ Invert specifies whether the value match result will be inverted.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
+ type: boolean
+ name:
+ description: |-
+ Name of the HTTP header.
+ The header name is case-insensitive unless PreserveHeaderCase is set to true.
+ For example, "Foo" and "foo" are considered the same header.
+ maxLength: 256
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match
+ against the value of the header.
+ enum:
+ - Exact
+ - RegularExpression
+ - Distinct
+ type: string
+ value:
+ description: |-
+ Value within the HTTP header.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
+ maxLength: 1024
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ methods:
+ description: |-
+ Methods is a list of request methods to match. Multiple method values are ORed together,
+ meaning, a request can match any one of the specified methods. If not specified, it matches all methods.
+ items:
+ description: MethodMatch defines the matching
+ criteria for the HTTP method of a request.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ value:
+ description: Value specifies the HTTP method.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ path:
+ description: |-
+ Path is the request path to match.
+ Support Exact, PathPrefix and RegularExpression match types.
+ properties:
+ invert:
+ default: false
+ description: Invert specifies whether the
+ value match result will be inverted.
+ type: boolean
+ type:
+ default: PathPrefix
+ description: Type specifies how to match against
+ the value of the path.
+ enum:
+ - Exact
+ - PathPrefix
+ - RegularExpression
+ type: string
+ value:
+ default: /
+ description: Value specifies the HTTP path.
+ maxLength: 1024
+ type: string
+ required:
+ - value
+ type: object
+ queryParams:
+ description: |-
+ QueryParams is a list of query parameters to match. Multiple query parameter values are ANDed together,
+ meaning, a request MUST match all the specified query parameters.
+ items:
+ description: QueryParamMatch defines the match
+ attributes within the query parameters of
+ the request.
+ properties:
+ invert:
+ default: false
+ description: |-
+ Invert specifies whether the value match result will be inverted.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the query parameter.
+ type: boolean
+ name:
+ description: Name of the query parameter.
+ maxLength: 256
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match
+ against the value of the query parameter.
+ enum:
+ - Exact
+ - RegularExpression
+ - Distinct
+ type: string
+ value:
+ description: |-
+ Value of the query parameter.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the query parameter.
+ maxLength: 1024
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ sourceCIDR:
+ description: SourceCIDR is the client IP Address
+ range to match on.
+ properties:
+ type:
+ default: Exact
+ enum:
+ - Exact
+ - Distinct
+ type: string
+ value:
+ description: |-
+ Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+ These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
+ For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
+ maxLength: 256
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: at least one of headers, methods, path,
+ sourceCIDR or queryParams must be specified
+ rule: has(self.headers) || has(self.methods) ||
+ has(self.path) || has(self.sourceCIDR) || has(self.queryParams)
+ maxItems: 8
+ type: array
+ cost:
+ description: |-
+ Cost specifies the cost of requests and responses for the rule.
+
+ This is optional and if not specified, the default behavior is to reduce the rate limit counters by 1 on
+ the request path and do not reduce the rate limit counters on the response path.
+ properties:
+ request:
+ description: |-
+ Request specifies the number to reduce the rate limit counters
+ on the request path. If this is not specified, the default behavior
+ is to reduce the rate limit counters by 1.
+
+ When Envoy receives a request that matches the rule, it tries to reduce the
+ rate limit counters by the specified number. If the counter doesn't have
+ enough capacity, the request is rate limited.
+ properties:
+ from:
+ description: From specifies where to get the
+ rate limit cost. Currently, only "Number"
+ and "Metadata" are supported.
+ enum:
+ - Number
+ - Metadata
+ type: string
+ metadata:
+ description: Metadata specifies the per-request
+ metadata to retrieve the usage number from.
+ properties:
+ key:
+ description: Key is the key to retrieve
+ the usage number from the filter metadata.
+ type: string
+ namespace:
+ description: Namespace is the namespace
+ of the dynamic metadata.
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ number:
+ description: |-
+ Number specifies the fixed usage number to reduce the rate limit counters.
+ Using zero can be used to only check the rate limit counters without reducing them.
+ format: int64
+ type: integer
+ required:
+ - from
+ type: object
+ x-kubernetes-validations:
+ - message: only one of number or metadata can be
+ specified
+ rule: '!(has(self.number) && has(self.metadata))'
+ response:
+ description: |-
+ Response specifies the number to reduce the rate limit counters
+ after the response is sent back to the client or the request stream is closed.
+
+ The cost is used to reduce the rate limit counters for the matching requests.
+ Since the reduction happens after the request stream is complete, the rate limit
+ won't be enforced for the current request, but for the subsequent matching requests.
+
+ This is optional and if not specified, the rate limit counters are not reduced
+ on the response path.
+
+ Currently, this is only supported for HTTP Global Rate Limits.
+ properties:
+ from:
+ description: From specifies where to get the
+ rate limit cost. Currently, only "Number"
+ and "Metadata" are supported.
+ enum:
+ - Number
+ - Metadata
+ type: string
+ metadata:
+ description: Metadata specifies the per-request
+ metadata to retrieve the usage number from.
+ properties:
+ key:
+ description: Key is the key to retrieve
+ the usage number from the filter metadata.
+ type: string
+ namespace:
+ description: Namespace is the namespace
+ of the dynamic metadata.
+ type: string
+ required:
+ - key
+ - namespace
+ type: object
+ number:
+ description: |-
+ Number specifies the fixed usage number to reduce the rate limit counters.
+ Using zero can be used to only check the rate limit counters without reducing them.
+ format: int64
+ type: integer
+ required:
+ - from
+ type: object
+ x-kubernetes-validations:
+ - message: only one of number or metadata can be
+ specified
+ rule: '!(has(self.number) && has(self.metadata))'
+ type: object
+ limit:
+ description: |-
+ Limit holds the rate limit values.
+ This limit is applied for traffic flows when the selectors
+ compute to True, causing the request to be counted towards the limit.
+ The limit is enforced and the request is ratelimited, i.e. a response with
+ 429 HTTP status code is sent back to the client when
+ the selected requests have reached the limit.
+ properties:
+ requests:
+ type: integer
+ unit:
+ description: |-
+ RateLimitUnit specifies the intervals for setting rate limits.
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year".
+ enum:
+ - Second
+ - Minute
+ - Hour
+ - Day
+ - Month
+ - Year
+ type: string
+ required:
+ - requests
+ - unit
+ type: object
+ shadowMode:
+ description: |-
+ ShadowMode indicates whether this rate-limit rule runs in shadow mode.
+ When enabled, all rate-limiting operations are performed (cache lookups,
+ counter updates, telemetry generation), but the outcome is never enforced.
+ The request always succeeds, even if the configured limit is exceeded.
+
+ Only supported for Global Rate Limits.
+ type: boolean
+ shared:
+ description: |-
+ Shared determines whether this rate limit rule applies across all the policy targets.
+ If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes).
+ Default: false.
+ type: boolean
+ required:
+ - limit
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-validations:
+ - message: response cost is not supported for Local Rate Limits
+ rule: self.all(foo, !has(foo.cost) || !has(foo.cost.response))
+ - message: shadow mode is not supported for Local Rate Limits
+ rule: self.all(foo, !has(foo.shadowMode))
+ type: object
+ type:
+ description: |-
+ Type decides the scope for the RateLimits.
+ Valid RateLimitType values are "Global" or "Local".
+
+ Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.
+ enum:
+ - Global
+ - Local
+ type: string
+ type: object
+ requestBuffer:
+ description: |-
+ RequestBuffer allows the gateway to buffer and fully receive each request from a client before continuing to send the request
+ upstream to the backends. This can be helpful to shield your backend servers from slow clients, and also to enforce a maximum size per request
+ as any requests larger than the buffer size will be rejected.
+
+ This can have a negative performance impact so should only be enabled when necessary.
+
+ When enabling this option, you should also configure your connection buffer size to account for these request buffers. There will also be an
+ increase in memory usage for Envoy that should be accounted for in your deployment settings.
+ properties:
+ limit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Limit specifies the maximum allowed size in bytes for each incoming request buffer.
+ If exceeded, the request will be rejected with HTTP 413 Content Too Large.
+
+ Accepts values in resource.Quantity format (e.g., "10Mi", "500Ki").
+ x-kubernetes-int-or-string: true
+ type: object
+ responseOverride:
+ description: |-
+ ResponseOverride defines the configuration to override specific responses with a custom one.
+ If multiple configurations are specified, the first one to match wins.
+ items:
+ description: ResponseOverride defines the configuration to override
+ specific responses with a custom one.
+ properties:
+ match:
+ description: Match configuration.
+ properties:
+ statusCodes:
+ description: Status code to match on. The match evaluates
+ to true if any of the matches are successful.
+ items:
+ description: StatusCodeMatch defines the configuration
+ for matching a status code.
+ properties:
+ range:
+ description: Range contains the range of status codes.
+ properties:
+ end:
+ description: End of the range, including the end
+ value.
+ type: integer
+ start:
+ description: Start of the range, including the
+ start value.
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ x-kubernetes-validations:
+ - message: end must be greater than start
+ rule: self.end > self.start
+ type:
+ allOf:
+ - enum:
+ - Value
+ - Range
+ - enum:
+ - Value
+ - Range
+ default: Value
+ description: |-
+ Type is the type of value.
+ Valid values are Value and Range, default is Value.
+ type: string
+ value:
+ description: Value contains the value of the status
+ code.
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: value must be set for type Value
+ rule: '(!has(self.type) || self.type == ''Value'')?
+ has(self.value) : true'
+ - message: range must be set for type Range
+ rule: '(has(self.type) && self.type == ''Range'')? has(self.range)
+ : true'
+ maxItems: 50
+ minItems: 1
+ type: array
+ required:
+ - statusCodes
+ type: object
+ redirect:
+ description: Redirect configuration
+ properties:
+ hostname:
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ path:
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+ Only ReplaceFullPath path modifier is supported currently.
+ properties:
+ replaceFullPath:
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
+ maxLength: 1024
+ type: string
+ replacePrefixMatch:
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
+ maxLength: 1024
+ type: string
+ type:
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - ReplaceFullPath
+ - ReplacePrefixMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: only ReplaceFullPath is supported for path.type
+ rule: self.type == 'ReplaceFullPath'
+ - message: replaceFullPath must be specified when type is
+ set to 'ReplaceFullPath'
+ rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath)
+ : true'
+ - message: type must be 'ReplaceFullPath' when replaceFullPath
+ is set
+ rule: 'has(self.replaceFullPath) ? self.type == ''ReplaceFullPath''
+ : true'
+ - message: replacePrefixMatch must be specified when type
+ is set to 'ReplacePrefixMatch'
+ rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch)
+ : true'
+ - message: type must be 'ReplacePrefixMatch' when replacePrefixMatch
+ is set
+ rule: 'has(self.replacePrefixMatch) ? self.type == ''ReplacePrefixMatch''
+ : true'
+ port:
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If redirect scheme is not-empty, the well-known port associated with the redirect scheme will be used.
+ Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a
+ well-known port or redirect scheme is empty, the listener port of the Gateway will be used.
+
+ Port will not be added in the 'Location' header if scheme is HTTP and port is 80
+ or scheme is HTTPS and port is 443.
+ format: int32
+ type: integer
+ scheme:
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+ enum:
+ - http
+ - https
+ type: string
+ statusCode:
+ default: 302
+ description: StatusCode is the HTTP status code to be used
+ in response.
+ enum:
+ - 301
+ - 302
+ type: integer
+ type: object
+ response:
+ description: Response configuration.
+ properties:
+ body:
+ description: |-
+ Body of the Custom Response
+ Supports Envoy command operators for dynamic content (see https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators).
+ properties:
+ inline:
+ description: Inline contains the value as an inline
+ string.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Inline
+ - ValueRef
+ - enum:
+ - Inline
+ - ValueRef
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the body value.
+ Valid values are Inline and ValueRef, default is Inline.
+ type: string
+ valueRef:
+ description: |-
+ ValueRef contains the contents of the body
+ specified as a local object reference.
+ Only a reference to ConfigMap is supported.
+
+ The value of key `response.body` in the ConfigMap will be used as the response body.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: inline must be set for type Inline
+ rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
+ : true'
+ - message: valueRef must be set for type ValueRef
+ rule: '(has(self.type) && self.type == ''ValueRef'')?
+ has(self.valueRef) : true'
+ - message: only ConfigMap is supported for ValueRef
+ rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
+ : true'
+ contentType:
+ description: Content Type of the response. This will be
+ set in the Content-Type header.
+ type: string
+ header:
+ description: |-
+ Header defines headers to add, set or remove from the response.
+ This allows the response policy to append, add or override headers
+ of the final response before it is sent to a downstream client.
+ Note: Header removal is not supported for responseOverride.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ x-kubernetes-validations:
+ - message: Remove is not supported for header in CustomResponse
+ rule: '!has(self.remove) || size(self.remove) == 0'
+ statusCode:
+ description: |-
+ Status Code of the Custom Response
+ If unset, does not override the status of response.
+ type: integer
+ type: object
+ required:
+ - match
+ type: object
+ x-kubernetes-validations:
+ - message: exactly one of response or redirect must be specified
+ rule: (has(self.response) && !has(self.redirect)) || (!has(self.response)
+ && has(self.redirect))
+ type: array
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to be attempted.
+ Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied per retry
+ attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval between
+ retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions that trigger
+ retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ routingType:
+ description: |-
+ RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
+ or it can be set to "Endpoint" to use Endpoint routing.
+ When specified, this overrides the EnvoyProxy-level setting for the relevant targeRefs.
+ If not specified, the EnvoyProxy-level setting is used.
+ type: string
+ targetRef:
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ telemetry:
+ description: |-
+ Telemetry configures the telemetry settings for the policy target (Gateway or xRoute).
+ This will override the telemetry settings in the EnvoyProxy resource.
+ properties:
+ metrics:
+ description: Metrics defines metrics configuration for the backend
+ or Route.
+ properties:
+ routeStatName:
+ description: |-
+ RouteStatName defines the value of the Route stat_prefix, determining how the route stats are named.
+ For more details, see envoy docs: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-route
+ The supported operators for this pattern are:
+ %ROUTE_NAME%: name of Gateway API xRoute resource
+ %ROUTE_NAMESPACE%: namespace of Gateway API xRoute resource
+ %ROUTE_KIND%: kind of Gateway API xRoute resource
+ Example: %ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME% => httproute/my-ns/my-route
+ Disabled by default.
+ type: string
+ type: object
+ tracing:
+ description: |-
+ Tracing configures the tracing settings for the backend or HTTPRoute.
+
+ This takes precedence over EnvoyProxy tracing when set.
+ properties:
+ customTags:
+ additionalProperties:
+ properties:
+ environment:
+ description: |-
+ Environment adds value from environment variable to each span.
+ It's required when the type is "Environment".
+ properties:
+ defaultValue:
+ description: DefaultValue defines the default value
+ to use if the environment variable is not set.
+ type: string
+ name:
+ description: Name defines the name of the environment
+ variable which to extract the value from.
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: |-
+ Literal adds hard-coded value to each span.
+ It's required when the type is "Literal".
+ properties:
+ value:
+ description: Value defines the hard-coded value
+ to add to each span.
+ type: string
+ required:
+ - value
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader adds value from request header to each span.
+ It's required when the type is "RequestHeader".
+ properties:
+ defaultValue:
+ description: DefaultValue defines the default value
+ to use if the request header is not set.
+ type: string
+ name:
+ description: Name defines the name of the request
+ header which to extract the value from.
+ type: string
+ required:
+ - name
+ type: object
+ type:
+ default: Literal
+ description: Type defines the type of custom tag.
+ enum:
+ - Literal
+ - Environment
+ - RequestHeader
+ type: string
+ required:
+ - type
+ type: object
+ description: |-
+ CustomTags defines the custom tags to add to each span.
+ If provider is kubernetes, pod name and namespace are added by default.
+
+ Deprecated: Use Tags instead.
+ type: object
+ samplingFraction:
+ description: |-
+ SamplingFraction represents the fraction of requests that should be
+ selected for tracing if no prior sampling decision has been made.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to denominator
+ rule: self.numerator <= self.denominator
+ spanName:
+ description: |-
+ SpanName defines the name of the span which will be used for tracing.
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the value.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
+
+ If not set, the span name is provider specific.
+ e.g. Datadog use `ingress` as the default client span name,
+ and `router egress` as the server span name.
+ properties:
+ client:
+ description: Client defines operation name of the span
+ which will be used for tracing.
+ type: string
+ server:
+ description: Server defines the operation name of the
+ upstream span which will be used for tracing.
+ type: string
+ required:
+ - client
+ - server
+ type: object
+ tags:
+ additionalProperties:
+ type: string
+ description: |-
+ Tags defines the custom tags to add to each span.
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the value.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
+ If provider is kubernetes, pod name and namespace are added by default.
+
+ Same keys take precedence over CustomTags.
+ type: object
+ type: object
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until which entire
+ response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ useClientProtocol:
+ description: |-
+ UseClientProtocol configures Envoy to prefer sending requests to backends using
+ the same HTTP protocol that the incoming request used. Defaults to false, which means
+ that Envoy will use the protocol indicated by the attached BackendRef.
+ type: boolean
+ type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true '
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
+ ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''] : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true '
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
+ ''HTTPRoute'', ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''])
+ : true '
+ - message: either compression or compressor can be set, not both
+ rule: '!has(self.compression) || !has(self.compressor)'
+ - message: predictivePercent in preconnect policy only works with RoundRobin
+ or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect) &&
+ has(self.connection.preconnect.predictivePercent)) && !(has(self.loadBalancer)
+ && has(self.loadBalancer.type) && self.loadBalancer.type in [''Random'',
+ ''RoundRobin'']))'
+ status:
+ description: status defines the current status of BackendTrafficPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - conditions
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
new file mode 100644
index 00000000..970e383a
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -0,0 +1,1909 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: clienttrafficpolicies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: ClientTrafficPolicy
+ listKind: ClientTrafficPolicyList
+ plural: clienttrafficpolicies
+ shortNames:
+ - ctp
+ singular: clienttrafficpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ClientTrafficPolicy allows the user to configure the behavior of the connection
+ between the downstream client and Envoy Proxy listener.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of ClientTrafficPolicy.
+ properties:
+ clientIPDetection:
+ description: ClientIPDetectionSettings provides configuration for
+ determining the original client IP address for requests.
+ properties:
+ customHeader:
+ description: |-
+ CustomHeader provides configuration for determining the client IP address for a request based on
+ a trusted custom HTTP header. This uses the custom_header original IP detection extension.
+ Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+ for more details.
+ properties:
+ failClosed:
+ description: |-
+ FailClosed is a switch used to control the flow of traffic when client IP detection
+ fails. If set to true, the listener will respond with 403 Forbidden when the client
+ IP address cannot be determined.
+ type: boolean
+ name:
+ description: Name of the header containing the original downstream
+ remote address, if present.
+ maxLength: 255
+ minLength: 1
+ pattern: ^[A-Za-z0-9-]+$
+ type: string
+ required:
+ - name
+ type: object
+ xForwardedFor:
+ description: XForwardedForSettings provides configuration for
+ using X-Forwarded-For headers for determining the client IP
+ address.
+ properties:
+ numTrustedHops:
+ description: |-
+ NumTrustedHops specifies how many trusted hops to count from the rightmost side of
+ the X-Forwarded-For (XFF) header when determining the original client’s IP address.
+
+ If NumTrustedHops is set to N, the client IP is taken from the Nth address from the
+ right end of the XFF header.
+
+ Example:
+ XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1"
+ NumTrustedHops = 2
+ → Trusted client address = 203.0.113.10
+
+ Only one of NumTrustedHops or TrustedCIDRs should be configured.
+ format: int32
+ type: integer
+ trustedCIDRs:
+ description: |-
+ TrustedCIDRs is a list of CIDR ranges to trust when evaluating
+ the remote IP address to determine the original client’s IP address.
+ When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent,
+ each entry in the x-forwarded-for header is evaluated from right to left
+ and the first public non-trusted address is used as the original client address.
+ If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used.
+ Only one of NumTrustedHops and TrustedCIDRs must be set.
+ items:
+ description: |-
+ CIDR defines a CIDR Address range.
+ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+ pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of numTrustedHops or trustedCIDRs must be
+ set
+ rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs))
+ || (!has(self.numTrustedHops) && has(self.trustedCIDRs))
+ type: object
+ x-kubernetes-validations:
+ - message: customHeader cannot be used in conjunction with xForwardedFor
+ rule: '!(has(self.xForwardedFor) && has(self.customHeader))'
+ connection:
+ description: Connection includes client connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ Default: 32768 bytes.
+ x-kubernetes-int-or-string: true
+ connectionLimit:
+ description: ConnectionLimit defines limits related to connections
+ properties:
+ closeDelay:
+ description: |-
+ CloseDelay defines the delay to use before closing connections that are rejected
+ once the limit value is reached.
+ Default: none.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ MaxConnectionDuration is the maximum amount of time a connection can remain established
+ (usually via TCP/HTTP Keepalive packets) before being drained and/or closed.
+ If not specified, there is no limit.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxRequestsPerConnection:
+ description: |-
+ MaxRequestsPerConnection defines the maximum number of requests allowed over a single connection.
+ If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive.
+ format: int32
+ type: integer
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum amount of time to keep alive an http stream. When the limit is reached
+ the stream will be reset independent of any other timeouts. If not specified, no value is set.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ value:
+ description: |-
+ Value of the maximum concurrent connections limit.
+ When the limit is reached, incoming connections will be closed after the CloseDelay duration.
+ format: int64
+ minimum: 1
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: closeDelay can only be configured when value is set
+ rule: '!has(self.closeDelay) || has(self.value)'
+ maxAcceptPerSocketEvent:
+ default: 1
+ description: |-
+ MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel
+ per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over
+ this threshold will be accepted in later event loop iterations.
+ Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
+ format: int32
+ type: integer
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ enableProxyProtocol:
+ description: |-
+ EnableProxyProtocol interprets the ProxyProtocol header and adds the
+ Client Address into the X-Forwarded-For header.
+ Note Proxy Protocol must be present when this field is set, else the connection
+ is closed.
+
+ Deprecated: Use ProxyProtocol instead.
+ type: boolean
+ headers:
+ description: HeaderSettings provides configuration for header management.
+ properties:
+ disableRateLimitHeaders:
+ description: |-
+ DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
+ when rate limiting is enabled.
+ type: boolean
+ earlyRequestHeaders:
+ description: |-
+ EarlyRequestHeaders defines settings for early request header modification, before envoy performs
+ routing, tracing and built-in header manipulation.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ addIfAbsent:
+ description: |-
+ AddIfAbsent adds the given header(s) (name, value) to the request/response
+ only if the header does not already exist. Unlike Add which appends to
+ existing values, this is a no-op if the header is already present.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ addIfAbsent:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ removeOnMatch:
+ description: |-
+ RemoveOnMatch removes headers whose names match the specified string matchers.
+ Matching is performed on the header name (case-insensitive).
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that the
+ match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ enableEnvoyHeaders:
+ description: |-
+ EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
+ and responses.
+ type: boolean
+ lateResponseHeaders:
+ description: LateResponseHeaders defines settings for global response
+ header modification.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ addIfAbsent:
+ description: |-
+ AddIfAbsent adds the given header(s) (name, value) to the request/response
+ only if the header does not already exist. Unlike Add which appends to
+ existing values, this is a no-op if the header is already present.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ addIfAbsent:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-type: set
+ removeOnMatch:
+ description: |-
+ RemoveOnMatch removes headers whose names match the specified string matchers.
+ Matching is performed on the header name (case-insensitive).
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that the
+ match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 64
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ preserveXRequestID:
+ description: |-
+ PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
+ (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
+ Defaults to false and cannot be combined with RequestID.
+ Deprecated: use RequestID=PreserveOrGenerate instead
+ type: boolean
+ requestID:
+ description: |-
+ RequestID configures Envoy's behavior for handling the `X-Request-ID` header.
+ When omitted default behavior is `Generate` which builds the `X-Request-ID` for every request
+ and ignores pre-existing values from the edge.
+ (An "edge request" refers to a request from an external client to the Envoy entrypoint.)
+ enum:
+ - PreserveOrGenerate
+ - Preserve
+ - Generate
+ - Disable
+ type: string
+ withUnderscoresAction:
+ description: |-
+ WithUnderscoresAction configures the action to take when an HTTP header with underscores
+ is encountered. The default action is to reject the request.
+ enum:
+ - Allow
+ - RejectRequest
+ - DropHeader
+ type: string
+ xForwardedClientCert:
+ description: |-
+ XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
+
+ x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
+ information of part or all of the clients or proxies that a request has flowed through,
+ on its way from the client to the server.
+
+ Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
+
+ If not set, the default behavior is sanitizing the XFCC header.
+ properties:
+ certDetailsToAdd:
+ description: |-
+ CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.
+
+ Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
+ are always included if the client certificate is forwarded.
+
+ This field is only applicable when the mode is set to `AppendForward` or
+ `SanitizeSet` and the client connection is mTLS.
+ items:
+ description: XFCCCertData specifies the fields in the client
+ certificate to be forwarded in the XFCC header.
+ enum:
+ - Subject
+ - Cert
+ - Chain
+ - DNS
+ - URI
+ type: string
+ maxItems: 5
+ type: array
+ mode:
+ description: |-
+ Mode defines how XFCC header is handled by Envoy Proxy.
+ If not set, the default mode is `Sanitize`.
+ enum:
+ - Sanitize
+ - ForwardOnly
+ - AppendForward
+ - SanitizeSet
+ - AlwaysForwardOnly
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: certDetailsToAdd can only be set when mode is AppendForward
+ or SanitizeSet
+ rule: '(has(self.certDetailsToAdd) && self.certDetailsToAdd.size()
+ > 0) ? (self.mode == ''AppendForward'' || self.mode == ''SanitizeSet'')
+ : true'
+ type: object
+ x-kubernetes-validations:
+ - message: preserveXRequestID and requestID cannot both be set.
+ rule: '!(has(self.preserveXRequestID) && has(self.requestID))'
+ healthCheck:
+ description: HealthCheck provides configuration for determining whether
+ the HTTP/HTTPS listener is healthy.
+ properties:
+ path:
+ description: Path specifies the HTTP path to match on for health
+ check requests.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ http1:
+ description: HTTP1 provides HTTP/1 configuration on the listener.
+ properties:
+ disableSafeMaxConnectionDuration:
+ description: |-
+ DisableSafeMaxConnectionDuration controls the close behavior for HTTP/1 connections.
+ By default, connection closure is delayed until the next request arrives after maxConnectionDuration is exceeded.
+ It then adds a Connection: close header and gracefully closes the connection after the response completes.
+ When set to true (disabled), Envoy uses its default drain behavior, closing the connection shortly after maxConnectionDuration elapses.
+ Has no effect unless maxConnectionDuration is set.
+ type: boolean
+ enableTrailers:
+ description: EnableTrailers defines if HTTP/1 trailers should
+ be proxied by Envoy.
+ type: boolean
+ http10:
+ description: HTTP10 turns on support for HTTP/1.0 and HTTP/0.9
+ requests.
+ properties:
+ useDefaultHost:
+ description: |-
+ UseDefaultHost specifies whether a default Host header should be injected
+ into HTTP/1.0 requests that do not include one.
+
+ When set to true, Envoy Gateway injects the hostname associated with the
+ listener or route into the request, in the following order:
+
+ 1. If the targeted listener has a non-wildcard hostname, use that hostname.
+ 2. If there is exactly one HTTPRoute with a non-wildcard hostname under
+ the targeted listener, use that hostname.
+
+ Note: Setting this field to true without a non-wildcard hostname makes the
+ ClientTrafficPolicy invalid.
+ type: boolean
+ type: object
+ preserveHeaderCase:
+ description: |-
+ PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
+ By default, Envoy will lowercase all the headers.
+ type: boolean
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration on the listener.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ http3:
+ description: HTTP3 provides HTTP/3 configuration on the listener.
+ type: object
+ path:
+ description: Path enables managing how the incoming path set by clients
+ can be normalized.
+ properties:
+ disableMergeSlashes:
+ description: |-
+ DisableMergeSlashes allows disabling the default configuration of merging adjacent
+ slashes in the path.
+ Note that slash merging is not part of the HTTP spec and is provided for convenience.
+ type: boolean
+ escapedSlashesAction:
+ description: |-
+ EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
+ should be handled.
+ The default is UnescapeAndRedirect.
+ enum:
+ - KeepUnchanged
+ - RejectRequest
+ - UnescapeAndForward
+ - UnescapeAndRedirect
+ type: string
+ type: object
+ proxyProtocol:
+ description: |-
+ ProxyProtocol configures the Proxy Protocol settings. When configured,
+ the Proxy Protocol header will be interpreted and the Client Address
+ will be added into the X-Forwarded-For header.
+ If both EnableProxyProtocol and ProxyProtocol are set, ProxyProtocol takes precedence.
+ minProperties: 0
+ properties:
+ optional:
+ description: |-
+ Optional allows requests without a Proxy Protocol header to be proxied.
+ If set to true, the listener will accept requests without a Proxy Protocol header.
+ If set to false, the listener will reject requests without a Proxy Protocol header.
+ If not set, the default behavior is to reject requests without a Proxy Protocol header.
+ Warning: Optional breaks conformance with the specification. Only enable if ALL traffic to the listener comes from a trusted source.
+ For more information on security implications, see haproxy.org/download/2.1/doc/proxy-protocol.txt
+ type: boolean
+ type: object
+ scheme:
+ description: |-
+ Scheme configures how the :scheme pseudo-header is set for requests forwarded to backends.
+
+ - Preserve (default): Preserves the :scheme from the original client request.
+ Use this when backends need to know the original client scheme for URL generation or redirects.
+
+ - MatchBackend: Sets the :scheme to match the backend transport protocol.
+ If the backend uses TLS, the scheme is "https", otherwise "http".
+ Use this when backends require the scheme to match the actual transport protocol,
+ such as strictly HTTPS services that validate the :scheme header.
+ enum:
+ - Preserve
+ - MatchBackend
+ type: string
+ targetRef:
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the downstream client connection.
+ If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the client connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ idleTimeout:
+ description: |-
+ IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestReceivedTimeout:
+ description: |-
+ RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
+ initiation and stops when either the last byte of the request is sent upstream or when the response begins.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ streamIdleTimeout:
+ description: |2-
+ The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity.
+ Default: 5 minutes.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ idleTimeout:
+ description: |-
+ IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
+ bytes sent or received on either the upstream or downstream connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ tls:
+ description: TLS settings configure TLS termination settings with
+ the downstream client.
+ properties:
+ alpnProtocols:
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener or used by the proxy to connect to the backend.
+ Defaults:
+ 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+ 2. Other Routes: ALPN is disabled.
+ 3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+ When an empty list is provided, the ALPN TLS extension is disabled.
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
+ items:
+ description: ALPNProtocol specifies the protocol to be negotiated
+ using ALPN
+ type: string
+ type: array
+ ciphers:
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ items:
+ type: string
+ type: array
+ clientValidation:
+ description: |-
+ ClientValidation specifies the configuration to validate the client
+ initiating the TLS connection to the Gateway listener.
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+ with the CA certificate in a key named `ca.crt` is currently supported.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached.
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 8
+ type: array
+ certificateHashes:
+ description: |-
+ An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will
+ verify that the SHA-256 of the DER-encoded presented certificate matches
+ one of the specified values.
+ items:
+ type: string
+ type: array
+ crl:
+ description: Crl specifies the crl configuration that can
+ be used to validate the client initiating the TLS connection
+ properties:
+ onlyVerifyLeafCertificate:
+ description: |-
+ If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL.
+ Defaults to false, which will verify the entire certificate chain against the CRL.
+ type: boolean
+ refs:
+ description: |-
+ Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret,
+ containing the certificate revocation list in PEM format
+ Expects the content in a key named `ca.crl`.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the crl
+ to be attached.
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ required:
+ - refs
+ type: object
+ optional:
+ description: |-
+ Optional set to true accepts connections even when a client doesn't present a certificate.
+ Defaults to false, which rejects connections without a valid client certificate.
+ type: boolean
+ spkiHashes:
+ description: |-
+ An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will
+ verify that the SHA-256 of the DER-encoded Subject Public Key Information
+ (SPKI) of the presented certificate matches one of the specified values.
+ items:
+ type: string
+ type: array
+ subjectAltNames:
+ description: |-
+ An optional list of Subject Alternative name matchers. If specified, Envoy
+ will verify that the Subject Alternative Name of the presented certificate
+ matches one of the specified matchers
+ properties:
+ dnsNames:
+ description: DNS names matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ emailAddresses:
+ description: Email addresses matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ ipAddresses:
+ description: IP addresses matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ otherNames:
+ description: Other names matchers
+ items:
+ properties:
+ oid:
+ description: OID Value
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - oid
+ - value
+ type: object
+ type: array
+ uris:
+ description: URIs matchers
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against
+ a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that
+ the match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ type: object
+ type: object
+ ecdhCurves:
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
+ items:
+ type: string
+ type: array
+ maxVersion:
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ minVersion:
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ session:
+ description: Session defines settings related to TLS session management.
+ properties:
+ resumption:
+ description: |-
+ Resumption determines the proxy's supported TLS session resumption option.
+ By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
+ enable stateful and stateless session resumption. Users should consider security impacts
+ of different resumption methods. Performance gains from resumption are diminished when
+ Envoy proxy is deployed with more than one replica.
+ properties:
+ stateful:
+ description: Stateful defines setting for stateful (session-id
+ based) session resumption
+ type: object
+ stateless:
+ description: Stateless defines setting for stateless (session-ticket
+ based) session resumption
+ type: object
+ type: object
+ type: object
+ signatureAlgorithms:
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
+ items:
+ type: string
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: setting ciphers has no effect if the minimum possible TLS
+ version is 1.3
+ rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
+ : true'
+ - message: minVersion must be smaller or equal to maxVersion
+ rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
+ <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : true'
+ type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true'
+ - message: this policy can only have a targetRef.kind of Gateway
+ rule: 'has(self.targetRef) ? self.targetRef.kind == ''Gateway'' : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true'
+ - message: this policy can only have a targetRefs[*].kind of Gateway
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == ''Gateway'')
+ : true'
+ status:
+ description: Status defines the current status of ClientTrafficPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - conditions
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
new file mode 100644
index 00000000..f87b1cac
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -0,0 +1,2167 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: envoyextensionpolicies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ kind: EnvoyExtensionPolicy
+ listKind: EnvoyExtensionPolicyList
+ plural: envoyextensionpolicies
+ shortNames:
+ - eep
+ singular: envoyextensionpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyExtensionPolicy allows the user to configure various envoy
+ extensibility options for the Gateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of EnvoyExtensionPolicy.
+ properties:
+ extProc:
+ description: |-
+ ExtProc is an ordered list of external processing filters
+ that should be added to the envoy filter chain
+ items:
+ description: ExtProc defines the configuration for External Processing
+ filter.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers that
+ will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the
+ payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between active
+ health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected response
+ payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the
+ payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the
+ payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait for
+ a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a backend
+ host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) : !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base duration
+ for which a host will be ejected on consecutive
+ failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets the number
+ of consecutive gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between passive
+ health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash policy
+ when the consistent hash type is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set for
+ the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent hash
+ type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the query parameter
+ hash policy when the consistent hash type is set
+ to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the header
+ field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers, the headers
+ field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie, the cookie
+ field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams, the
+ queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the minimum
+ number of total upstream endpoints across
+ all zones required to enable zone-aware routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If not
+ specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash''] ?
+ !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol when
+ communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until which
+ entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent)) &&
+ !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ failOpen:
+ default: false
+ description: |-
+ FailOpen is a switch used to control the behavior when failing to call the external processor.
+
+ If FailOpen is set to true, the system bypasses the ExtProc extension and
+ allows the traffic to pass through. If it is set to false or
+ not set (defaulting to false), the system blocks the traffic and returns
+ an HTTP 5xx error.
+
+ If set to true, the ExtProc extension will also be bypassed if the configuration is invalid.
+ type: boolean
+ messageTimeout:
+ description: |-
+ MessageTimeout is the timeout for a response to be returned from the external processor
+ Default: 200ms
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ metadata:
+ description: |-
+ Metadata defines options related to the sending and receiving of dynamic metadata.
+ These options define which metadata namespaces would be sent to the processor and which dynamic metadata
+ namespaces the processor would be permitted to emit metadata to.
+ Users can specify custom namespaces or well-known envoy metadata namespace (such as envoy.filters.http.ext_authz)
+ documented here: https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata#well-known-dynamic-metadata
+ Default: no metadata context is sent or received from the external processor
+ properties:
+ accessibleNamespaces:
+ description: AccessibleNamespaces are metadata namespaces
+ that are sent to the external processor as context
+ items:
+ type: string
+ type: array
+ writableNamespaces:
+ description: WritableNamespaces are metadata namespaces
+ that the external processor can write to
+ items:
+ type: string
+ maxItems: 8
+ type: array
+ x-kubernetes-validations:
+ - message: writableNamespaces cannot contain well-known
+ Envoy HTTP filter namespaces
+ rule: self.all(f, !f.startsWith('envoy.filters.http'))
+ type: object
+ processingMode:
+ description: |-
+ ProcessingMode defines how request and response body is processed
+ Default: header and body are not sent to the external processor
+ properties:
+ allowModeOverride:
+ description: |-
+ AllowModeOverride allows the external processor to override the processing mode set via the
+ `mode_override` field in the gRPC response message. This defaults to false.
+ type: boolean
+ request:
+ description: |-
+ Defines processing mode for requests. If present, request headers are sent. Request body is processed according
+ to the specified mode.
+ properties:
+ attributes:
+ description: |-
+ Defines which attributes are sent to the external processor. Envoy Gateway currently
+ supports only the following attribute prefixes: connection, source, destination,
+ request, response, upstream and xds.route.
+ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes
+ items:
+ pattern: ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$
+ type: string
+ type: array
+ body:
+ description: Defines body processing mode
+ enum:
+ - Streamed
+ - Buffered
+ - BufferedPartial
+ - FullDuplexStreamed
+ type: string
+ type: object
+ response:
+ description: |-
+ Defines processing mode for responses. If present, response headers are sent. Response body is processed according
+ to the specified mode.
+ properties:
+ attributes:
+ description: |-
+ Defines which attributes are sent to the external processor. Envoy Gateway currently
+ supports only the following attribute prefixes: connection, source, destination,
+ request, response, upstream and xds.route.
+ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes
+ items:
+ pattern: ^(connection\.|source\.|destination\.|request\.|response\.|upstream\.|xds\.route_)[a-z_1-9]*$
+ type: string
+ type: array
+ body:
+ description: Defines body processing mode
+ enum:
+ - Streamed
+ - Buffered
+ - BufferedPartial
+ - FullDuplexStreamed
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only supports Service, ServiceImport, and
+ Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''ServiceImport'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only supports Core, multicluster.x-k8s.io,
+ and gateway.envoyproxy.io groups.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
+ == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
+ ''gateway.envoyproxy.io'')) : true'
+ - message: If FullDuplexStreamed body processing mode is used, FailOpen
+ must be false.
+ rule: '!(has(self.failOpen) && self.failOpen == true && has(self.processingMode)
+ && ((has(self.processingMode.request) && has(self.processingMode.request.body)
+ && self.processingMode.request.body == ''FullDuplexStreamed'')
+ || (has(self.processingMode.response) && has(self.processingMode.response.body)
+ && self.processingMode.response.body == ''FullDuplexStreamed'')))'
+ maxItems: 16
+ type: array
+ lua:
+ description: |-
+ Lua is an ordered list of Lua filters
+ that should be added to the envoy filter chain
+ items:
+ description: |-
+ Lua defines a Lua extension
+ Only one of Inline or ValueRef must be set
+ properties:
+ inline:
+ description: Inline contains the source code as an inline string.
+ type: string
+ type:
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the Lua value.
+ Valid values are Inline and ValueRef, default is Inline.
+ enum:
+ - Inline
+ - ValueRef
+ type: string
+ valueRef:
+ description: |-
+ ValueRef has the source code specified as a local object reference.
+ Only a reference to ConfigMap is supported.
+ The value of key `lua` in the ConfigMap will be used.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example "HTTPRoute"
+ or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Only a reference to an object of kind ConfigMap belonging
+ to default v1 API group is supported.
+ rule: self.kind == 'ConfigMap' && (self.group == 'v1' || self.group
+ == '')
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: Exactly one of inline or valueRef must be set with correct
+ type.
+ rule: (self.type == 'Inline' && has(self.inline) && !has(self.valueRef))
+ || (self.type == 'ValueRef' && !has(self.inline) && has(self.valueRef))
+ maxItems: 16
+ type: array
+ targetRef:
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
+ wasm:
+ description: |-
+ Wasm is a list of Wasm extensions to be loaded by the Gateway.
+ Order matters, as the extensions will be loaded in the order they are
+ defined in this list.
+ items:
+ description: |-
+ Wasm defines a Wasm extension.
+
+ Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
+ v8 is used as the VM runtime for the Wasm extensions.
+ properties:
+ code:
+ description: Code is the Wasm code for the extension.
+ properties:
+ http:
+ description: |-
+ HTTP is the HTTP URL containing the Wasm code.
+
+ Note that the HTTP server must be accessible from the Envoy proxy.
+ properties:
+ sha256:
+ description: |-
+ SHA256 checksum that will be used to verify the Wasm code.
+
+ If not specified, Envoy Gateway will not verify the downloaded Wasm code.
+ kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+ type: string
+ tls:
+ description: TLS configuration when connecting to the
+ Wasm code source.
+ properties:
+ caCertificateRef:
+ description: |-
+ CACertificateRef contains a references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the Wasm code source.
+
+ Kubernetes ConfigMap and Kubernetes Secret are supported.
+ Note: The ConfigMap or Secret must be in the same namespace as the EnvoyExtensionPolicy.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For
+ example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - caCertificateRef
+ type: object
+ url:
+ description: URL is the URL containing the Wasm code.
+ pattern: ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*
+ type: string
+ required:
+ - url
+ type: object
+ image:
+ description: |-
+ Image is the OCI image containing the Wasm code.
+
+ Note that the image must be accessible from the Envoy Gateway.
+ properties:
+ pullSecretRef:
+ description: |-
+ PullSecretRef is a reference to the secret containing the credentials to pull the image.
+ Only support Kubernetes Secret resource from the same namespace.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: only support Secret kind.
+ rule: self.kind == 'Secret'
+ sha256:
+ description: |-
+ SHA256 checksum that will be used to verify the OCI image.
+
+ It must match the digest of the OCI image.
+
+ If not specified, Envoy Gateway will not verify the downloaded OCI image.
+ kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+ type: string
+ tls:
+ description: TLS configuration when connecting to the
+ Wasm code source.
+ properties:
+ caCertificateRef:
+ description: |-
+ CACertificateRef contains a references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the Wasm code source.
+
+ Kubernetes ConfigMap and Kubernetes Secret are supported.
+ Note: The ConfigMap or Secret must be in the same namespace as the EnvoyExtensionPolicy.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For
+ example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - caCertificateRef
+ type: object
+ url:
+ description: |-
+ URL is the URL of the OCI image.
+ URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`.
+ type: string
+ required:
+ - url
+ type: object
+ pullPolicy:
+ description: |-
+ PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
+ This field is only applicable when the SHA256 field is not set.
+
+ If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
+
+ Note: EG does not update the Wasm module every time an Envoy proxy requests
+ the Wasm module even if the pull policy is set to Always.
+ It only updates the Wasm module when the EnvoyExtension resource version changes.
+ enum:
+ - IfNotPresent
+ - Always
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - Image
+ - enum:
+ - HTTP
+ - Image
+ - ConfigMap
+ description: |-
+ Type is the type of the source of the Wasm code.
+ Valid WasmCodeSourceType values are "HTTP" or "Image".
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If type is HTTP, http field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) : !has(self.http)'
+ - message: If type is Image, image field needs to be set.
+ rule: 'self.type == ''Image'' ? has(self.image) : !has(self.image)'
+ config:
+ description: |-
+ Config is the configuration for the Wasm extension.
+ This configuration will be passed as a JSON string to the Wasm extension.
+ x-kubernetes-preserve-unknown-fields: true
+ env:
+ description: Env configures the environment for the Wasm extension
+ properties:
+ hostKeys:
+ description: |-
+ HostKeys is a list of keys for environment variables from the host envoy process
+ that should be passed into the Wasm VM. This is useful for passing secrets to to Wasm extensions.
+ items:
+ type: string
+ type: array
+ type: object
+ failOpen:
+ default: false
+ description: |-
+ FailOpen is a switch used to control the behavior when a fatal error occurs
+ during the initialization or the execution of the Wasm extension.
+
+ If FailOpen is set to true, the system bypasses the Wasm extension and
+ allows the traffic to pass through. If it is set to false or
+ not set (defaulting to false), the system blocks the traffic and returns
+ an HTTP 5xx error.
+
+ If set to true, the Wasm extension will also be bypassed if the configuration is invalid.
+ type: boolean
+ name:
+ description: |-
+ Name is a unique name for this Wasm extension. It is used to identify the
+ Wasm extension if multiple extensions are handled by the same vm_id and root_id.
+ It's also used for logging/debugging.
+ If not specified, EG will generate a unique name for the Wasm extension.
+ type: string
+ rootID:
+ description: |-
+ RootID is a unique ID for a set of extensions in a VM which will share a
+ RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
+ If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
+
+ Note: RootID must match the root_id parameter used to register the Context in the Wasm code.
+ type: string
+ required:
+ - code
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true'
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
+ ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''] : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true '
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
+ ''HTTPRoute'', ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''])
+ : true '
+ status:
+ description: Status defines the current status of EnvoyExtensionPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - conditions
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
new file mode 100644
index 00000000..e1dbfb2f
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
@@ -0,0 +1,510 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: envoypatchpolicies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: EnvoyPatchPolicy
+ listKind: EnvoyPatchPolicyList
+ plural: envoypatchpolicies
+ shortNames:
+ - epp
+ singular: envoypatchpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.ancestors[0].conditions[?(@.type=="Accepted")].status
+ name: Accepted
+ type: string
+ - jsonPath: .status.ancestors[0].conditions[?(@.type=="Programmed")].status
+ name: Programmed
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS
+ resources by Envoy Gateway using this patch API
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of EnvoyPatchPolicy.
+ properties:
+ jsonPatches:
+ description: JSONPatch defines the JSONPatch configuration.
+ items:
+ description: |-
+ EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource
+ using JSONPatch semantic
+ properties:
+ name:
+ description: Name is the name of the resource
+ type: string
+ operation:
+ description: Patch defines the JSON Patch Operation
+ properties:
+ from:
+ description: |-
+ From is the source location of the value to be copied or moved. Only valid
+ for move or copy operations
+ Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ type: string
+ jsonPath:
+ description: |-
+ JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+ It produces one or more JSONPointer expressions based on the given JSON document.
+ If no JSONPointer is found, it will result in an error.
+ If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+ This is useful when creating a property that does not yet exist in the JSON document.
+ The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
+ type: string
+ op:
+ description: Op is the type of operation to perform
+ enum:
+ - add
+ - remove
+ - replace
+ - move
+ - copy
+ - test
+ type: string
+ path:
+ description: |-
+ Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ It specifies the location of the target document/field where the operation will be performed
+ type: string
+ value:
+ description: |-
+ Value is the new value of the path location. The value is only used by
+ the `add` and `replace` operations.
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - op
+ type: object
+ type:
+ description: Type is the typed URL of the Envoy xDS Resource
+ enum:
+ - type.googleapis.com/envoy.config.listener.v3.Listener
+ - type.googleapis.com/envoy.config.route.v3.RouteConfiguration
+ - type.googleapis.com/envoy.config.cluster.v3.Cluster
+ - type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
+ - type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
+ type: string
+ required:
+ - name
+ - operation
+ - type
+ type: object
+ type: array
+ priority:
+ description: |-
+ Priority of the EnvoyPatchPolicy.
+ If multiple EnvoyPatchPolicies are applied to the same
+ TargetRef, they will be applied in the ascending order of
+ the priority i.e. int32.min has the highest priority and
+ int32.max has the lowest priority.
+ Defaults to 0.
+ format: int32
+ type: integer
+ targetRef:
+ description: |-
+ TargetRef is the name of the Gateway API resource this policy
+ is being attached to.
+ By default, attaching to Gateway is supported and
+ when mergeGateways is enabled it should attach to GatewayClass.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway
+ TargetRef
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type:
+ description: |-
+ Type decides the type of patch.
+ Valid EnvoyPatchType values are "JSONPatch".
+ enum:
+ - JSONPatch
+ type: string
+ required:
+ - targetRef
+ - type
+ type: object
+ status:
+ description: Status defines the current status of EnvoyPatchPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - conditions
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
new file mode 100644
index 00000000..66b39ecc
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -0,0 +1,16626 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: envoyproxies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: EnvoyProxy
+ listKind: EnvoyProxyList
+ plural: envoyproxies
+ shortNames:
+ - eproxy
+ singular: envoyproxy
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyProxy is the schema for the envoyproxies API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: EnvoyProxySpec defines the desired state of EnvoyProxy.
+ properties:
+ backendTLS:
+ description: |-
+ BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
+ These settings are applied on backends for which TLS policies are specified.
+ properties:
+ alpnProtocols:
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener or used by the proxy to connect to the backend.
+ Defaults:
+ 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context.
+ 2. Other Routes: ALPN is disabled.
+ 3. Backends: proxy uses the appropriate ALPN options for the backend protocol.
+ When an empty list is provided, the ALPN TLS extension is disabled.
+
+ Defaults to [h2, http/1.1] if not specified.
+
+ Typical Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
+ items:
+ description: ALPNProtocol specifies the protocol to be negotiated
+ using ALPN
+ type: string
+ type: array
+ ciphers:
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ items:
+ type: string
+ type: array
+ clientCertificateRef:
+ description: |-
+ ClientCertificateRef defines the reference to a Kubernetes Secret that contains
+ the client certificate and private key for Envoy to use when connecting to
+ backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+ This secret should be located within the same namespace as the Envoy proxy resource that references it.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ ecdhCurves:
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
+ items:
+ type: string
+ type: array
+ maxVersion:
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ minVersion:
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ signatureAlgorithms:
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
+ items:
+ type: string
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: setting ciphers has no effect if the minimum possible TLS
+ version is 1.3
+ rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
+ : true'
+ - message: minVersion must be smaller or equal to maxVersion
+ rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
+ <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : true'
+ bootstrap:
+ description: |-
+ Bootstrap defines the Envoy Bootstrap as a YAML string.
+ Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
+ to learn more about the syntax.
+ If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
+ set by Envoy Gateway.
+ Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
+ from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
+ Backward compatibility across minor versions is not guaranteed.
+ We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
+ Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors.
+ properties:
+ jsonPatches:
+ description: |-
+ JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
+ applied in the order in which they are defined.
+ items:
+ description: |-
+ JSONPatchOperation defines the JSON Patch Operation as defined in
+ https://datatracker.ietf.org/doc/html/rfc6902
+ properties:
+ from:
+ description: |-
+ From is the source location of the value to be copied or moved. Only valid
+ for move or copy operations
+ Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ type: string
+ jsonPath:
+ description: |-
+ JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+ It produces one or more JSONPointer expressions based on the given JSON document.
+ If no JSONPointer is found, it will result in an error.
+ If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+ This is useful when creating a property that does not yet exist in the JSON document.
+ The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
+ type: string
+ op:
+ description: Op is the type of operation to perform
+ enum:
+ - add
+ - remove
+ - replace
+ - move
+ - copy
+ - test
+ type: string
+ path:
+ description: |-
+ Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ It specifies the location of the target document/field where the operation will be performed
+ type: string
+ value:
+ description: |-
+ Value is the new value of the path location. The value is only used by
+ the `add` and `replace` operations.
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - op
+ type: object
+ type: array
+ type:
+ default: Replace
+ description: |-
+ Type is the type of the bootstrap configuration, it should be either **Replace**, **Merge**, or **JSONPatch**.
+ If unspecified, it defaults to Replace.
+ enum:
+ - Merge
+ - Replace
+ - JSONPatch
+ type: string
+ value:
+ description: Value is a YAML string of the bootstrap.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: provided bootstrap patch doesn't match the configured patch
+ type
+ rule: 'self.type == ''JSONPatch'' ? self.jsonPatches.size() > 0
+ : has(self.value)'
+ concurrency:
+ description: |-
+ Concurrency defines the number of worker threads to run. If unset, it defaults to
+ the number of cpuset threads on the platform.
+ format: int32
+ type: integer
+ extraArgs:
+ description: |-
+ ExtraArgs defines additional command line options that are provided to Envoy.
+ More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
+ Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here.
+ items:
+ type: string
+ type: array
+ filterOrder:
+ description: |-
+ FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
+ The FilterPosition in the list will be applied in the order they are defined.
+ If unspecified, the default filter order is applied.
+ Default filter order is:
+
+ - envoy.filters.http.custom_response
+
+ - envoy.filters.http.health_check
+
+ - envoy.filters.http.fault
+
+ - envoy.filters.http.cors
+
+ - envoy.filters.http.header_mutation
+
+ - envoy.filters.http.ext_authz
+
+ - envoy.filters.http.api_key_auth
+
+ - envoy.filters.http.basic_auth
+
+ - envoy.filters.http.oauth2
+
+ - envoy.filters.http.jwt_authn
+
+ - envoy.filters.http.stateful_session
+
+ - envoy.filters.http.buffer
+
+ - envoy.filters.http.lua
+
+ - envoy.filters.http.ext_proc
+
+ - envoy.filters.http.wasm
+
+ - envoy.filters.http.rbac
+
+ - envoy.filters.http.local_ratelimit
+
+ - envoy.filters.http.ratelimit
+
+ - envoy.filters.http.grpc_web
+
+ - envoy.filters.http.grpc_stats
+
+ - envoy.filters.http.credential_injector
+
+ - envoy.filters.http.compressor
+
+ - envoy.filters.http.dynamic_forward_proxy
+
+ - envoy.filters.http.router
+
+ Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
+ items:
+ description: FilterPosition defines the position of an Envoy HTTP
+ filter in the filter chain.
+ properties:
+ after:
+ description: |-
+ After defines the filter that should come after the filter.
+ Only one of Before or After must be set.
+ enum:
+ - envoy.filters.http.custom_response
+ - envoy.filters.http.health_check
+ - envoy.filters.http.fault
+ - envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+ - envoy.filters.http.ext_authz
+ - envoy.filters.http.api_key_auth
+ - envoy.filters.http.basic_auth
+ - envoy.filters.http.oauth2
+ - envoy.filters.http.jwt_authn
+ - envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
+ - envoy.filters.http.lua
+ - envoy.filters.http.ext_proc
+ - envoy.filters.http.wasm
+ - envoy.filters.http.rbac
+ - envoy.filters.http.local_ratelimit
+ - envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+ - envoy.filters.http.grpc_stats
+ - envoy.filters.http.credential_injector
+ - envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
+ type: string
+ before:
+ description: |-
+ Before defines the filter that should come before the filter.
+ Only one of Before or After must be set.
+ enum:
+ - envoy.filters.http.custom_response
+ - envoy.filters.http.health_check
+ - envoy.filters.http.fault
+ - envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+ - envoy.filters.http.ext_authz
+ - envoy.filters.http.api_key_auth
+ - envoy.filters.http.basic_auth
+ - envoy.filters.http.oauth2
+ - envoy.filters.http.jwt_authn
+ - envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
+ - envoy.filters.http.lua
+ - envoy.filters.http.ext_proc
+ - envoy.filters.http.wasm
+ - envoy.filters.http.rbac
+ - envoy.filters.http.local_ratelimit
+ - envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+ - envoy.filters.http.grpc_stats
+ - envoy.filters.http.credential_injector
+ - envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
+ type: string
+ name:
+ description: Name of the filter.
+ enum:
+ - envoy.filters.http.custom_response
+ - envoy.filters.http.health_check
+ - envoy.filters.http.fault
+ - envoy.filters.http.cors
+ - envoy.filters.http.header_mutation
+ - envoy.filters.http.ext_authz
+ - envoy.filters.http.api_key_auth
+ - envoy.filters.http.basic_auth
+ - envoy.filters.http.oauth2
+ - envoy.filters.http.jwt_authn
+ - envoy.filters.http.stateful_session
+ - envoy.filters.http.buffer
+ - envoy.filters.http.lua
+ - envoy.filters.http.ext_proc
+ - envoy.filters.http.wasm
+ - envoy.filters.http.rbac
+ - envoy.filters.http.local_ratelimit
+ - envoy.filters.http.ratelimit
+ - envoy.filters.http.grpc_web
+ - envoy.filters.http.grpc_stats
+ - envoy.filters.http.credential_injector
+ - envoy.filters.http.compressor
+ - envoy.filters.http.dynamic_forward_proxy
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: one of before or after must be specified
+ rule: (has(self.before) || has(self.after))
+ - message: only one of before or after can be specified
+ rule: (has(self.before) && !has(self.after)) || (!has(self.before)
+ && has(self.after))
+ type: array
+ ipFamily:
+ description: |-
+ IPFamily specifies the IP family for the EnvoyProxy fleet.
+ This setting only affects the Gateway listener port and does not impact
+ other aspects of the Envoy proxy configuration.
+ If not specified, the system will operate as follows:
+ - It defaults to IPv4 only.
+ - IPv6 and dual-stack environments are not supported in this default configuration.
+ Note: To enable IPv6 or dual-stack functionality, explicit configuration is required.
+ enum:
+ - IPv4
+ - IPv6
+ - DualStack
+ type: string
+ logging:
+ default:
+ level:
+ default: warn
+ description: Logging defines logging parameters for managed proxies.
+ properties:
+ level:
+ additionalProperties:
+ description: LogLevel defines a log level for Envoy Gateway
+ and EnvoyProxy system logs.
+ enum:
+ - trace
+ - debug
+ - info
+ - warn
+ - error
+ type: string
+ default:
+ default: warn
+ description: |-
+ Level is a map of logging level per component, where the component is the key
+ and the log level is the value. If unspecified, defaults to "default: warn".
+ type: object
+ type: object
+ luaValidation:
+ description: |-
+ LuaValidation determines strictness of the Lua script validation for Lua EnvoyExtensionPolicies
+ Default: Strict
+ enum:
+ - Strict
+ - InsecureSyntax
+ - Disabled
+ type: string
+ mergeGateways:
+ description: |-
+ MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
+ Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
+ This means that the port, protocol and hostname tuple must be unique for every listener.
+ If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition.
+ type: boolean
+ preserveRouteOrder:
+ description: |-
+ PreserveRouteOrder determines if the order of matching for HTTPRoutes is determined by Gateway-API
+ specification (https://gateway-api.sigs.k8s.io/reference/1.4/spec/#httprouterule)
+ or preserves the order defined by users in the HTTPRoute's HTTPRouteRule list.
+ Default: False
+ type: boolean
+ provider:
+ description: |-
+ Provider defines the desired resource provider and provider-specific configuration.
+ If unspecified, the "Kubernetes" resource provider is used with default configuration
+ parameters.
+ properties:
+ host:
+ description: |-
+ Host provides runtime deployment of the data plane as a child process on the
+ host environment.
+ If unspecified and type is "Host", default settings for the custom provider
+ are applied.
+ properties:
+ envoyVersion:
+ description: |-
+ EnvoyVersion is the version of Envoy to use. If unspecified, the version
+ against which Envoy Gateway is built will be used.
+ type: string
+ type: object
+ kubernetes:
+ description: |-
+ Kubernetes defines the desired state of the Kubernetes resource provider.
+ Kubernetes provides infrastructure resources for running the data plane,
+ e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
+ for managed Kubernetes resources are applied.
+ properties:
+ envoyDaemonSet:
+ description: |-
+ EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
+ Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet
+ properties:
+ container:
+ description: Container defines the desired specification
+ of main container.
+ properties:
+ env:
+ description: List of environment variables to set
+ in the container.
+ items:
+ description: EnvVar represents an environment variable
+ present in a Container.
+ properties:
+ name:
+ description: |-
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's
+ value. Cannot be used if value is not empty.
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ properties:
+ apiVersion:
+ description: Version of the schema the
+ FieldPath is written in terms of,
+ defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select
+ in the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ fileKeyRef:
+ description: |-
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+ properties:
+ key:
+ description: |-
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ type: string
+ optional:
+ default: false
+ description: |-
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ type: boolean
+ path:
+ description: |-
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ type: string
+ volumeName:
+ description: The name of the volume
+ mount containing the env file.
+ type: string
+ required:
+ - key
+ - path
+ - volumeName
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required
+ for volumes, optional for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output format
+ of the exposed resources, defaults
+ to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to
+ select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in
+ the pod's namespace
+ properties:
+ key:
+ description: The key of the secret to
+ select from. Must be a valid secret
+ key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ image:
+ description: |-
+ Image specifies the EnvoyProxy container image to be used including a tag, instead of the default image.
+ This field is mutually exclusive with ImageRepository.
+ type: string
+ x-kubernetes-validations:
+ - message: Image must include a tag and allowed characters
+ only (e.g., 'repo:tag').
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
+ imageRepository:
+ description: |-
+ ImageRepository specifies the container image repository to be used without specifying a tag.
+ The default tag will be used.
+ This field is mutually exclusive with Image.
+ type: string
+ x-kubernetes-validations:
+ - message: ImageRepository must contain only allowed
+ characters and must not include a tag.
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$')
+ resources:
+ description: |-
+ Resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This field depends on the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry
+ in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ volumeMounts:
+ description: |-
+ VolumeMounts are volumes to mount into the container's filesystem.
+ Cannot be updated.
+ items:
+ description: VolumeMount describes a mounting of
+ a Volume within a container.
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: Either image or imageRepository can be set.
+ rule: '!has(self.image) || !has(self.imageRepository)'
+ name:
+ description: |-
+ Name of the daemonSet.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ patch:
+ description: Patch defines how to perform the patch operation
+ to daemonset
+ properties:
+ type:
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
+ pod:
+ description: Pod defines the desired specification of
+ pod.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations are the annotations that should be appended to the pods.
+ By default, no pod annotations are appended.
+ type: object
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets is an optional list of references to secrets
+ in the same namespace to use for pulling any of the images used by this PodSpec.
+ If specified, these secrets will be passed to individual puller implementations for them to use.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels are the additional labels that should be tagged to the pods.
+ By default, no additional pod labels are tagged.
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ priorityClassName:
+ description: |-
+ PriorityClassName indicates the importance of a Pod relative to other Pods.
+ If a PriorityClassName is not specified, the pod priority will be default or zero if there is no default.
+ More info: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ items:
+ description: Sysctl defines a kernel parameter
+ to be set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ tolerations:
+ description: If specified, the pod's tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumes:
+ description: |-
+ Volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ items:
+ description: Volume represents a named volume in
+ a pod that may be accessed by any container in
+ the pod.
+ properties:
+ awsElasticBlockStore:
+ description: |-
+ awsElasticBlockStore represents an AWS Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly value true will force the readOnly setting in VolumeMounts.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: boolean
+ volumeID:
+ description: |-
+ volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
+ properties:
+ cachingMode:
+ description: 'cachingMode is the Host Caching
+ mode: None, Read Only, Read Write.'
+ type: string
+ diskName:
+ description: diskName is the Name of the
+ data disk in the blob storage
+ type: string
+ diskURI:
+ description: diskURI is the URI of data
+ disk in the blob storage
+ type: string
+ fsType:
+ default: ext4
+ description: |-
+ fsType is Filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ kind:
+ description: 'kind expected values are Shared:
+ multiple blob disks per storage account Dedicated:
+ single blob disk per storage account Managed:
+ azure managed data disk (only in managed
+ availability set). defaults to shared'
+ type: string
+ readOnly:
+ default: false
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
+ properties:
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretName:
+ description: secretName is the name of
+ secret that contains Azure Storage Account
+ Name and Key
+ type: string
+ shareName:
+ description: shareName is the azure share
+ Name
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+ properties:
+ monitors:
+ description: |-
+ monitors is Required: Monitors is a collection of Ceph monitors
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: 'path is Optional: Used as
+ the mounted root, rather than the full
+ Ceph tree, default is /'
+ type: string
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: boolean
+ secretFile:
+ description: |-
+ secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ secretRef:
+ description: |-
+ secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ description: |-
+ user is optional: User is the rados user name, default is admin
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ description: |-
+ cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is optional: points to a secret object containing parameters used to connect
+ to OpenStack.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ description: |-
+ volumeID used to identify the volume in cinder.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ description: configMap represents a configMap
+ that should populate this volume
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional specify whether the
+ ConfigMap or its keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ description: csi (Container Storage Interface)
+ represents ephemeral storage that is handled
+ by certain external CSI drivers.
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ description: downwardAPI represents downward
+ API about the pod that should populate this
+ volume
+ properties:
+ defaultMode:
+ description: |-
+ Optional: mode bits to use on created files by default. Must be a
+ Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: Items is a list of downward
+ API volume file
+ items:
+ description: DownwardAPIVolumeFile represents
+ information to create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required: Selects a
+ field of the pod: only annotations,
+ labels, name, namespace and uid
+ are supported.'
+ properties:
+ apiVersion:
+ description: Version of the schema
+ the FieldPath is written in
+ terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field
+ to select in the specified API
+ version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required: Path is the
+ relative path name of the file to
+ be created. Must not be absolute
+ or contain the ''..'' path. Must
+ be utf-8 encoded. The first item
+ of the relative path must not start
+ with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name:
+ required for volumes, optional
+ for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output
+ format of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource
+ to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ description: |-
+ emptyDir represents a temporary directory that shares a pod's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ description: |-
+ ephemeral represents a volume that is handled by a cluster storage driver.
+ The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+ and deleted when the pod is removed.
+
+ Use this if:
+ a) the volume is only needed while the pod runs,
+ b) features of normal volumes like restoring from snapshot or capacity
+ tracking are needed,
+ c) the storage driver is specified through a storage class, and
+ d) the storage driver supports dynamic volume provisioning through
+ a PersistentVolumeClaim (see EphemeralVolumeSource for more
+ information on the connection between this volume type
+ and PersistentVolumeClaim).
+
+ Use PersistentVolumeClaim or one of the vendor-specific
+ APIs for volumes that persist for longer than the lifecycle
+ of an individual pod.
+
+ Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+ be used that way - see the documentation of the driver for
+ more information.
+
+ A pod can use both types of ephemeral volumes and
+ persistent volumes at the same time.
+ properties:
+ volumeClaimTemplate:
+ description: |-
+ Will be used to create a stand-alone PVC to provision the volume.
+ The pod in which this EphemeralVolumeSource is embedded will be the
+ owner of the PVC, i.e. the PVC will be deleted together with the
+ pod. The name of the PVC will be `-` where
+ `` is the name from the `PodSpec.Volumes` array
+ entry. Pod validation will reject the pod if the concatenated name
+ is not valid for a PVC (for example, too long).
+
+ An existing PVC with that name that is not owned by the pod
+ will *not* be used for the pod to avoid using an unrelated
+ volume by mistake. Starting the pod is then blocked until
+ the unrelated PVC is removed. If such a pre-created PVC is
+ meant to be used by the pod, the PVC has to updated with an
+ owner reference to the pod once the pod exists. Normally
+ this should not be necessary, but it may be useful when
+ manually reconstructing a broken cluster.
+
+ This field is read-only and no changes will be made by Kubernetes
+ to the PVC after it has been created.
+
+ Required, must not be nil.
+ properties:
+ metadata:
+ description: |-
+ May contain labels and annotations that will be copied into the PVC
+ when creating it. No other fields are allowed and will be rejected during
+ validation.
+ type: object
+ spec:
+ description: |-
+ The specification for the PersistentVolumeClaim. The entire content is
+ copied unchanged into the PVC that gets created from this
+ template. The same fields as in a PersistentVolumeClaim
+ are also valid here.
+ properties:
+ accessModes:
+ description: |-
+ accessModes contains the desired access modes the volume should have.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ description: |-
+ dataSource field can be used to specify either:
+ * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+ * An existing PVC (PersistentVolumeClaim)
+ If the provisioner or an external controller can support the specified data source,
+ it will create a new volume based on the contents of the specified data source.
+ When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+ and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+ If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type
+ of resource being referenced
+ type: string
+ name:
+ description: Name is the name
+ of resource being referenced
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ description: |-
+ dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+ volume is desired. This may be any object from a non-empty API group (non
+ core object) or a PersistentVolumeClaim object.
+ When this field is specified, volume binding will only succeed if the type of
+ the specified object matches some installed volume populator or dynamic
+ provisioner.
+ This field will replace the functionality of the dataSource field and as such
+ if both fields are non-empty, they must have the same value. For backwards
+ compatibility, when namespace isn't specified in dataSourceRef,
+ both fields (dataSource and dataSourceRef) will be set to the same
+ value automatically if one of them is empty and the other is non-empty.
+ When namespace is specified in dataSourceRef,
+ dataSource isn't set to the same value and must be empty.
+ There are three important differences between dataSource and dataSourceRef:
+ * While dataSource only allows two specific types of objects, dataSourceRef
+ allows any non-core object, as well as PersistentVolumeClaim objects.
+ * While dataSource ignores disallowed values (dropping them), dataSourceRef
+ preserves all values, and generates an error if a disallowed value is
+ specified.
+ * While dataSource only allows local objects, dataSourceRef allows objects
+ in any namespaces.
+ (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+ (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type
+ of resource being referenced
+ type: string
+ name:
+ description: Name is the name
+ of resource being referenced
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of resource being referenced
+ Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+ (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ description: |-
+ resources represents the minimum resources the volume should have.
+ Users are allowed to specify resource requirements
+ that are lower than previous value but must still be higher than capacity recorded in the
+ status field of the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ selector:
+ description: selector is a label
+ query over volumes to consider
+ for binding.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ description: |-
+ storageClassName is the name of the StorageClass required by the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ type: string
+ volumeMode:
+ description: |-
+ volumeMode defines what type of volume is required by the claim.
+ Value of Filesystem is implied when not included in claim spec.
+ type: string
+ volumeName:
+ description: volumeName is the binding
+ reference to the PersistentVolume
+ backing this claim.
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ description: fc represents a Fibre Channel resource
+ that is attached to a kubelet's host machine
+ and then exposed to the pod.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ lun:
+ description: 'lun is Optional: FC target
+ lun number'
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ targetWWNs:
+ description: 'targetWWNs is Optional: FC
+ target worldwide names (WWNs)'
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ description: |-
+ wwids Optional: FC volume world wide identifiers (wwids)
+ Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ description: |-
+ flexVolume represents a generic volume resource that is
+ provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+ properties:
+ driver:
+ description: driver is the name of the driver
+ to use for this volume.
+ type: string
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ description: 'options is Optional: this
+ field holds extra command options if any.'
+ type: object
+ readOnly:
+ description: |-
+ readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is Optional: secretRef is reference to the secret object containing
+ sensitive information to pass to the plugin scripts. This may be
+ empty if no secret object is specified. If the secret object
+ contains more than one secret, all secrets are passed to the plugin
+ scripts.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+ properties:
+ datasetName:
+ description: |-
+ datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+ should be considered as deprecated
+ type: string
+ datasetUUID:
+ description: datasetUUID is the UUID of
+ the dataset. This is unique identifier
+ of a Flocker dataset
+ type: string
+ type: object
+ gcePersistentDisk:
+ description: |-
+ gcePersistentDisk represents a GCE Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ format: int32
+ type: integer
+ pdName:
+ description: |-
+ pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ description: |-
+ gitRepo represents a git repository at a particular revision.
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+ EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+ into the Pod's container.
+ properties:
+ directory:
+ description: |-
+ directory is the target directory name.
+ Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
+ git repository. Otherwise, if specified, the volume will contain the git repository in
+ the subdirectory with the given name.
+ type: string
+ repository:
+ description: repository is the URL
+ type: string
+ revision:
+ description: revision is the commit hash
+ for the specified revision.
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ description: |-
+ glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+ properties:
+ endpoints:
+ description: endpoints is the endpoint name
+ that details Glusterfs topology.
+ type: string
+ path:
+ description: |-
+ path is the Glusterfs volume path.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ description: |-
+ hostPath represents a pre-existing file or directory on the host
+ machine that is directly exposed to the container. This is generally
+ used for system agents or other privileged things that are allowed
+ to see the host machine. Most containers will NOT need this.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ properties:
+ path:
+ description: |-
+ path of the directory on the host.
+ If the path is a symlink, it will follow the link to the real path.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ type:
+ description: |-
+ type for HostPath Volume
+ Defaults to ""
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ required:
+ - path
+ type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
+ iscsi:
+ description: |-
+ iscsi represents an ISCSI Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+ properties:
+ chapAuthDiscovery:
+ description: chapAuthDiscovery defines whether
+ support iSCSI Discovery CHAP authentication
+ type: boolean
+ chapAuthSession:
+ description: chapAuthSession defines whether
+ support iSCSI Session CHAP authentication
+ type: boolean
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+ type: string
+ initiatorName:
+ description: |-
+ initiatorName is the custom iSCSI Initiator Name.
+ If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+ : will be created for the connection.
+ type: string
+ iqn:
+ description: iqn is the target iSCSI Qualified
+ Name.
+ type: string
+ iscsiInterface:
+ default: default
+ description: |-
+ iscsiInterface is the interface Name that uses an iSCSI transport.
+ Defaults to 'default' (tcp).
+ type: string
+ lun:
+ description: lun represents iSCSI Target
+ Lun number.
+ format: int32
+ type: integer
+ portals:
+ description: |-
+ portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ type: boolean
+ secretRef:
+ description: secretRef is the CHAP Secret
+ for iSCSI target and initiator authentication
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ description: |-
+ targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ description: |-
+ name of the volume.
+ Must be a DNS_LABEL and unique within the pod.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ nfs:
+ description: |-
+ nfs represents an NFS mount on the host that shares a pod's lifetime
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ properties:
+ path:
+ description: |-
+ path that is exported by the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the NFS export to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: boolean
+ server:
+ description: |-
+ server is the hostname or IP address of the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ description: |-
+ persistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ pdID:
+ description: pdID is the ID that identifies
+ Photon Controller persistent disk
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
+ properties:
+ fsType:
+ description: |-
+ fSType represents the filesystem type to mount
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ volumeID:
+ description: volumeID uniquely identifies
+ a Portworx volume
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ description: projected items for all in one
+ resources secrets, configmaps, and downward
+ API
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from
+ the volume root to write the
+ bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ description: configMap information
+ about the configMap data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key
+ to a path within a volume.
+ properties:
+ key:
+ description: key is the
+ key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional specify
+ whether the ConfigMap or its
+ keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information
+ about the downwardAPI data to project
+ properties:
+ items:
+ description: Items is a list of
+ DownwardAPIVolume file
+ items:
+ description: DownwardAPIVolumeFile
+ represents information to
+ create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required:
+ Selects a field of the
+ pod: only annotations,
+ labels, name, namespace
+ and uid are supported.'
+ properties:
+ apiVersion:
+ description: Version
+ of the schema the
+ FieldPath is written
+ in terms of, defaults
+ to "v1".
+ type: string
+ fieldPath:
+ description: Path of
+ the field to select
+ in the specified API
+ version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required:
+ Path is the relative
+ path name of the file
+ to be created. Must not
+ be absolute or contain
+ the ''..'' path. Must
+ be utf-8 encoded. The
+ first item of the relative
+ path must not start with
+ ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container
+ name: required for
+ volumes, optional
+ for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies
+ the output format
+ of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required:
+ resource to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated
+ CSRs will be addressed to this
+ signer.
+ type: string
+ userAnnotations:
+ additionalProperties:
+ type: string
+ description: |-
+ userAnnotations allow pod authors to pass additional information to
+ the signer implementation. Kubernetes does not restrict or validate this
+ metadata in any way.
+
+ These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+ the PodCertificateRequest objects that Kubelet creates.
+
+ Entries are subject to the same validation as object metadata annotations,
+ with the addition that all keys must be domain-prefixed. No restrictions
+ are placed on values, except an overall size limitation on the entire field.
+
+ Signers should document the keys and values they support. Signers should
+ deny requests that contain keys they do not recognize.
+ type: object
+ required:
+ - keyType
+ - signerName
+ type: object
+ secret:
+ description: secret information about
+ the secret data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key
+ to a path within a volume.
+ properties:
+ key:
+ description: key is the
+ key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional field specify
+ whether the Secret or its key
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is
+ information about the serviceAccountToken
+ data to project
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ format: int64
+ type: integer
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+ properties:
+ group:
+ description: |-
+ group to map volume access to
+ Default is no group
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+ Defaults to false.
+ type: boolean
+ registry:
+ description: |-
+ registry represents a single or multiple Quobyte Registry services
+ specified as a string as host:port pair (multiple entries are separated with commas)
+ which acts as the central registry for volumes
+ type: string
+ tenant:
+ description: |-
+ tenant owning the given Quobyte volume in the Backend
+ Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+ type: string
+ user:
+ description: |-
+ user to map volume access to
+ Defaults to serivceaccount user
+ type: string
+ volume:
+ description: volume is a string that references
+ an already created Quobyte volume by name.
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ description: |-
+ rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+ type: string
+ image:
+ description: |-
+ image is the rados image name.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ keyring:
+ default: /etc/ceph/keyring
+ description: |-
+ keyring is the path to key ring for RBDUser.
+ Default is /etc/ceph/keyring.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ monitors:
+ description: |-
+ monitors is a collection of Ceph monitors.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ default: rbd
+ description: |-
+ pool is the rados pool name.
+ Default is rbd.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is name of the authentication secret for RBDUser. If provided
+ overrides keyring.
+ Default is nil.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ default: admin
+ description: |-
+ user is the rados user name.
+ Default is admin.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+ properties:
+ fsType:
+ default: xfs
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs".
+ Default is "xfs".
+ type: string
+ gateway:
+ description: gateway is the host address
+ of the ScaleIO API Gateway.
+ type: string
+ protectionDomain:
+ description: protectionDomain is the name
+ of the ScaleIO Protection Domain for the
+ configured storage.
+ type: string
+ readOnly:
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef references to the secret for ScaleIO user and other
+ sensitive information. If this is not provided, Login operation will fail.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ description: sslEnabled Flag enable/disable
+ SSL communication with Gateway, default
+ false
+ type: boolean
+ storageMode:
+ default: ThinProvisioned
+ description: |-
+ storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+ Default is ThinProvisioned.
+ type: string
+ storagePool:
+ description: storagePool is the ScaleIO
+ Storage Pool associated with the protection
+ domain.
+ type: string
+ system:
+ description: system is the name of the storage
+ system as configured in ScaleIO.
+ type: string
+ volumeName:
+ description: |-
+ volumeName is the name of a volume already created in the ScaleIO system
+ that is associated with this volume source.
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ description: |-
+ secret represents a secret that should populate this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether
+ the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ type: object
+ storageos:
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef specifies the secret to use for obtaining the StorageOS API
+ credentials. If not specified, default values will be attempted.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ description: |-
+ volumeName is the human-readable name of the StorageOS volume. Volume
+ names are only unique within a namespace.
+ type: string
+ volumeNamespace:
+ description: |-
+ volumeNamespace specifies the scope of the volume within StorageOS. If no
+ namespace is specified then the Pod's namespace will be used. This allows the
+ Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+ Set VolumeName to any name to override the default behaviour.
+ Set to "default" if you are not using namespaces within StorageOS.
+ Namespaces that do not pre-exist within StorageOS will be created.
+ type: string
+ type: object
+ vsphereVolume:
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ storagePolicyID:
+ description: storagePolicyID is the storage
+ Policy Based Management (SPBM) profile
+ ID associated with the StoragePolicyName.
+ type: string
+ storagePolicyName:
+ description: storagePolicyName is the storage
+ Policy Based Management (SPBM) profile
+ name.
+ type: string
+ volumePath:
+ description: volumePath is the path that
+ identifies vSphere volume vmdk
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ strategy:
+ description: The daemonset strategy to use to replace
+ existing pods with new ones.
+ properties:
+ rollingUpdate:
+ description: Rolling update config params. Present
+ only if type = "RollingUpdate".
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of nodes with an existing available DaemonSet pod that
+ can have an updated DaemonSet pod during during an update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up to a minimum of 1.
+ Default value is 0.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their a new pod created before the old pod is marked as deleted.
+ The update starts by launching new pods on 30% of nodes. Once an updated
+ pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+ on that node is marked deleted. If the old pod becomes unavailable for any
+ reason (Ready transitions to false, is evicted, or is drained) an updated
+ pod is immediately created on that node without considering surge limits.
+ Allowing surge implies the possibility that the resources consumed by the
+ daemonset on any given node can double if the readiness check fails, and
+ so resource intensive daemonsets should take into account that they may
+ cause evictions during disruption.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of DaemonSet pods that can be unavailable during the
+ update. Value can be an absolute number (ex: 5) or a percentage of total
+ number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+ number is calculated from percentage by rounding up.
+ This cannot be 0 if MaxSurge is 0
+ Default value is 1.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their pods stopped for an update at any given time. The update
+ starts by stopping at most 30% of those DaemonSet pods and then brings
+ up new DaemonSet pods in their place. Once the new pods are available,
+ it then proceeds onto other DaemonSet pods, thus ensuring that at least
+ 70% of original number of DaemonSet pods are available at all times during
+ the update.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of daemon set update. Can be "RollingUpdate"
+ or "OnDelete". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ envoyDeployment:
+ description: |-
+ EnvoyDeployment defines the desired state of the Envoy deployment resource.
+ If unspecified, default settings for the managed Envoy deployment resource
+ are applied.
+ properties:
+ container:
+ description: Container defines the desired specification
+ of main container.
+ properties:
+ env:
+ description: List of environment variables to set
+ in the container.
+ items:
+ description: EnvVar represents an environment variable
+ present in a Container.
+ properties:
+ name:
+ description: |-
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's
+ value. Cannot be used if value is not empty.
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ properties:
+ apiVersion:
+ description: Version of the schema the
+ FieldPath is written in terms of,
+ defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select
+ in the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ fileKeyRef:
+ description: |-
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+ properties:
+ key:
+ description: |-
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ type: string
+ optional:
+ default: false
+ description: |-
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ type: boolean
+ path:
+ description: |-
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ type: string
+ volumeName:
+ description: The name of the volume
+ mount containing the env file.
+ type: string
+ required:
+ - key
+ - path
+ - volumeName
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required
+ for volumes, optional for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output format
+ of the exposed resources, defaults
+ to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to
+ select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in
+ the pod's namespace
+ properties:
+ key:
+ description: The key of the secret to
+ select from. Must be a valid secret
+ key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ image:
+ description: |-
+ Image specifies the EnvoyProxy container image to be used including a tag, instead of the default image.
+ This field is mutually exclusive with ImageRepository.
+ type: string
+ x-kubernetes-validations:
+ - message: Image must include a tag and allowed characters
+ only (e.g., 'repo:tag').
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?(/[a-zA-Z0-9._/-]+)?(:[a-zA-Z0-9._-]+)?(@sha256:[a-z0-9]+)?$')
+ imageRepository:
+ description: |-
+ ImageRepository specifies the container image repository to be used without specifying a tag.
+ The default tag will be used.
+ This field is mutually exclusive with Image.
+ type: string
+ x-kubernetes-validations:
+ - message: ImageRepository must contain only allowed
+ characters and must not include a tag.
+ rule: self.matches('^[a-zA-Z0-9._-]+(:[0-9]+)?[a-zA-Z0-9._/-]+$')
+ resources:
+ description: |-
+ Resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This field depends on the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry
+ in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ volumeMounts:
+ description: |-
+ VolumeMounts are volumes to mount into the container's filesystem.
+ Cannot be updated.
+ items:
+ description: VolumeMount describes a mounting of
+ a Volume within a container.
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: Either image or imageRepository can be set.
+ rule: '!has(self.image) || !has(self.imageRepository)'
+ initContainers:
+ description: |-
+ List of initialization containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+ items:
+ description: A single application container that you
+ want to run within a pod.
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The container image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The container image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ items:
+ description: EnvVar represents an environment
+ variable present in a Container.
+ properties:
+ name:
+ description: |-
+ Name of the environment variable.
+ May consist of any printable ASCII characters except '='.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's
+ value. Cannot be used if value is not empty.
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ properties:
+ apiVersion:
+ description: Version of the schema
+ the FieldPath is written in terms
+ of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to
+ select in the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ fileKeyRef:
+ description: |-
+ FileKeyRef selects a key of the env file.
+ Requires the EnvFiles feature gate to be enabled.
+ properties:
+ key:
+ description: |-
+ The key within the env file. An invalid key will prevent the pod from starting.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
+ type: string
+ optional:
+ default: false
+ description: |-
+ Specify whether the file or its key must be defined. If the file or key
+ does not exist, then the env var is not published.
+ If optional is set to true and the specified key does not exist,
+ the environment variable will not be set in the Pod's containers.
+
+ If optional is set to false and the specified key does not exist,
+ an error will be returned during Pod creation.
+ type: boolean
+ path:
+ description: |-
+ The path within the volume from which to select the file.
+ Must be relative and may not contain the '..' path or start with '..'.
+ type: string
+ volumeName:
+ description: The name of the volume
+ mount containing the env file.
+ type: string
+ required:
+ - key
+ - path
+ - volumeName
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required
+ for volumes, optional for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output
+ format of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to
+ select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret
+ in the pod's namespace
+ properties:
+ key:
+ description: The key of the secret
+ to select from. Must be a valid
+ secret key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the container.
+ The keys defined within a source may consist of any printable ASCII characters except '='.
+ When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ items:
+ description: EnvFromSource represents the source
+ of a set of ConfigMaps or Secrets
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: |-
+ Optional text to prepend to the name of each environment variable.
+ May consist of any printable ASCII characters except '='.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Container image name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ properties:
+ exec:
+ description: Exec specifies a command to
+ execute in the container.
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ description: HTTPGet specifies an HTTP GET
+ request to perform.
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in
+ the request. HTTP allows repeated
+ headers.
+ items:
+ description: HTTPHeader describes
+ a custom header to be used in HTTP
+ probes
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field
+ value
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP
+ server.
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ description: Sleep represents a duration
+ that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of
+ seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
+ properties:
+ host:
+ description: 'Optional: Host name to
+ connect to, defaults to the pod IP.'
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ properties:
+ exec:
+ description: Exec specifies a command to
+ execute in the container.
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ description: HTTPGet specifies an HTTP GET
+ request to perform.
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in
+ the request. HTTP allows repeated
+ headers.
+ items:
+ description: HTTPHeader describes
+ a custom header to be used in HTTP
+ probes
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field
+ value
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP
+ server.
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ description: Sleep represents a duration
+ that the container should sleep.
+ properties:
+ seconds:
+ description: Seconds is the number of
+ seconds to sleep.
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for backward compatibility. There is no validation of this field and
+ lifecycle hooks will fail at runtime when it is specified.
+ properties:
+ host:
+ description: 'Optional: Host name to
+ connect to, defaults to the pod IP.'
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ stopSignal:
+ description: |-
+ StopSignal defines which signal will be sent to a container when it is being stopped.
+ If not specified, the default is defined by the container runtime in use.
+ StopSignal can only be set for Pods with a non-empty .spec.os.name
+ type: string
+ type: object
+ livenessProbe:
+ description: |-
+ Periodic probe of container liveness.
+ Container will be restarted if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ properties:
+ exec:
+ description: Exec specifies a command to execute
+ in the container.
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ format: int32
+ type: integer
+ grpc:
+ description: GRPC specifies a GRPC HealthCheckRequest.
+ properties:
+ port:
+ description: Port number of the gRPC service.
+ Number must be in the range 1 to 65535.
+ format: int32
+ type: integer
+ service:
+ default: ""
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ description: HTTPGet specifies an HTTP GET request
+ to perform.
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the
+ request. HTTP allows repeated headers.
+ items:
+ description: HTTPHeader describes a custom
+ header to be used in HTTP probes
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP
+ server.
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ format: int32
+ type: integer
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ format: int32
+ type: integer
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: TCPSocket specifies a connection
+ to a TCP port.
+ properties:
+ host:
+ description: 'Optional: Host name to connect
+ to, defaults to the pod IP.'
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ format: int64
+ type: integer
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ format: int32
+ type: integer
+ type: object
+ name:
+ description: |-
+ Name of the container specified as a DNS_LABEL.
+ Each container in a pod must have a unique name (DNS_LABEL).
+ Cannot be updated.
+ type: string
+ ports:
+ description: |-
+ List of ports to expose from the container. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Modifying this array with strategic merge patch may corrupt the data.
+ For more information See https://github.com/kubernetes/kubernetes/issues/108255.
+ Cannot be updated.
+ items:
+ description: ContainerPort represents a network
+ port in a single container.
+ properties:
+ containerPort:
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
+ format: int32
+ type: integer
+ hostIP:
+ description: What host IP to bind the external
+ port to.
+ type: string
+ hostPort:
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
+ Most containers do not need this.
+ format: int32
+ type: integer
+ name:
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
+ type: string
+ protocol:
+ default: TCP
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ description: |-
+ Periodic probe of container service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ properties:
+ exec:
+ description: Exec specifies a command to execute
+ in the container.
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ format: int32
+ type: integer
+ grpc:
+ description: GRPC specifies a GRPC HealthCheckRequest.
+ properties:
+ port:
+ description: Port number of the gRPC service.
+ Number must be in the range 1 to 65535.
+ format: int32
+ type: integer
+ service:
+ default: ""
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ description: HTTPGet specifies an HTTP GET request
+ to perform.
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the
+ request. HTTP allows repeated headers.
+ items:
+ description: HTTPHeader describes a custom
+ header to be used in HTTP probes
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP
+ server.
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ format: int32
+ type: integer
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ format: int32
+ type: integer
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: TCPSocket specifies a connection
+ to a TCP port.
+ properties:
+ host:
+ description: 'Optional: Host name to connect
+ to, defaults to the pod IP.'
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ format: int64
+ type: integer
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ description: |-
+ Resources resize policy for the container.
+ This field cannot be set on ephemeral containers.
+ items:
+ description: ContainerResizePolicy represents
+ resource resize policy for the container.
+ properties:
+ resourceName:
+ description: |-
+ Name of the resource to which this resource resize policy applies.
+ Supported values: cpu, memory.
+ type: string
+ restartPolicy:
+ description: |-
+ Restart policy to apply when specified resource is resized.
+ If not specified, it defaults to NotRequired.
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ description: |-
+ Compute Resources required by this container.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This field depends on the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one
+ entry in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ restartPolicy:
+ description: |-
+ RestartPolicy defines the restart behavior of individual containers in a pod.
+ This overrides the pod-level restart policy. When this field is not specified,
+ the restart behavior is defined by the Pod's restart policy and the container type.
+ Additionally, setting the RestartPolicy as "Always" for the init container will
+ have the following effect:
+ this init container will be continually restarted on
+ exit until all regular containers have terminated. Once all regular
+ containers have completed, all init containers with restartPolicy "Always"
+ will be shut down. This lifecycle differs from normal init containers and
+ is often referred to as a "sidecar" container. Although this init
+ container still starts in the init container sequence, it does not wait
+ for the container to complete before proceeding to the next init
+ container. Instead, the next init container starts immediately after this
+ init container is started, or after any startupProbe has successfully
+ completed.
+ type: string
+ restartPolicyRules:
+ description: |-
+ Represents a list of rules to be checked to determine if the
+ container should be restarted on exit. The rules are evaluated in
+ order. Once a rule matches a container exit condition, the remaining
+ rules are ignored. If no rule matches the container exit condition,
+ the Container-level restart policy determines the whether the container
+ is restarted or not. Constraints on the rules:
+ - At most 20 rules are allowed.
+ - Rules can have the same action.
+ - Identical rules are not forbidden in validations.
+ When rules are specified, container MUST set RestartPolicy explicitly
+ even it if matches the Pod's RestartPolicy.
+ items:
+ description: ContainerRestartRule describes how
+ a container exit is handled.
+ properties:
+ action:
+ description: |-
+ Specifies the action taken on a container exit if the requirements
+ are satisfied. The only possible value is "Restart" to restart the
+ container.
+ type: string
+ exitCodes:
+ description: Represents the exit codes to
+ check on container exits.
+ properties:
+ operator:
+ description: |-
+ Represents the relationship between the container exit code(s) and the
+ specified values. Possible values are:
+ - In: the requirement is satisfied if the container exit code is in the
+ set of specified values.
+ - NotIn: the requirement is satisfied if the container exit code is
+ not in the set of specified values.
+ type: string
+ values:
+ description: |-
+ Specifies the set of values to check for container exit codes.
+ At most 255 elements are allowed.
+ items:
+ format: int32
+ type: integer
+ type: array
+ x-kubernetes-list-type: set
+ required:
+ - operator
+ type: object
+ required:
+ - action
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ description: |-
+ StartupProbe indicates that the Pod has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ properties:
+ exec:
+ description: Exec specifies a command to execute
+ in the container.
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
+ format: int32
+ type: integer
+ grpc:
+ description: GRPC specifies a GRPC HealthCheckRequest.
+ properties:
+ port:
+ description: Port number of the gRPC service.
+ Number must be in the range 1 to 65535.
+ format: int32
+ type: integer
+ service:
+ default: ""
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
+ (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
+
+ If this is not specified, the default behavior is defined by gRPC.
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ description: HTTPGet specifies an HTTP GET request
+ to perform.
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in the
+ request. HTTP allows repeated headers.
+ items:
+ description: HTTPHeader describes a custom
+ header to be used in HTTP probes
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field value
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP
+ server.
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ format: int32
+ type: integer
+ periodSeconds:
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
+ format: int32
+ type: integer
+ successThreshold:
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
+ format: int32
+ type: integer
+ tcpSocket:
+ description: TCPSocket specifies a connection
+ to a TCP port.
+ properties:
+ host:
+ description: 'Optional: Host name to connect
+ to, defaults to the pod IP.'
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
+ format: int64
+ type: integer
+ timeoutSeconds:
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ description: |-
+ Whether this container should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the container will always result in EOF.
+ Default is false.
+ type: boolean
+ stdinOnce:
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
+ type: boolean
+ terminationMessagePath:
+ description: |-
+ Optional: Path at which the file to which the container's termination message
+ will be written is mounted into the container's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
+ type: string
+ terminationMessagePolicy:
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the container status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of container log output if the termination
+ message file is empty and the container exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
+ type: string
+ tty:
+ description: |-
+ Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
+ type: boolean
+ volumeDevices:
+ description: volumeDevices is the list of block
+ devices to be used by the container.
+ items:
+ description: volumeDevice describes a mapping
+ of a raw block device within a container.
+ properties:
+ devicePath:
+ description: devicePath is the path inside
+ of the container that the device will be
+ mapped to.
+ type: string
+ name:
+ description: name must match the name of a
+ persistentVolumeClaim in the pod
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ description: |-
+ Pod volumes to mount into the container's filesystem.
+ Cannot be updated.
+ items:
+ description: VolumeMount describes a mounting
+ of a Volume within a container.
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a
+ Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ description: |-
+ Container's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ name:
+ description: |-
+ Name of the deployment.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ patch:
+ description: Patch defines how to perform the patch operation
+ to deployment
+ properties:
+ type:
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
+ pod:
+ description: Pod defines the desired specification of
+ pod.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and subtracting
+ "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations are the annotations that should be appended to the pods.
+ By default, no pod annotations are appended.
+ type: object
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets is an optional list of references to secrets
+ in the same namespace to use for pulling any of the images used by this PodSpec.
+ If specified, these secrets will be passed to individual puller implementations for them to use.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels are the additional labels that should be tagged to the pods.
+ By default, no additional pod labels are tagged.
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ priorityClassName:
+ description: |-
+ PriorityClassName indicates the importance of a Pod relative to other Pods.
+ If a PriorityClassName is not specified, the pod priority will be default or zero if there is no default.
+ More info: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
+ type: string
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxChangePolicy:
+ description: |-
+ seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
+ It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
+ Valid values are "MountOption" and "Recursive".
+
+ "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
+ This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.
+
+ "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
+ This requires all Pods that share the same volume to use the same SELinux label.
+ It is not possible to share the same volume among privileged and unprivileged Pods.
+ Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
+ whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
+ CSIDriver instance. Other volumes are always re-labelled recursively.
+ "MountOption" value is allowed only when SELinuxMount feature gate is enabled.
+
+ If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
+ If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
+ and "Recursive" for all other volumes.
+
+ This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.
+
+ All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ items:
+ description: Sysctl defines a kernel parameter
+ to be set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ tolerations:
+ description: If specified, the pod's tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumes:
+ description: |-
+ Volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ items:
+ description: Volume represents a named volume in
+ a pod that may be accessed by any container in
+ the pod.
+ properties:
+ awsElasticBlockStore:
+ description: |-
+ awsElasticBlockStore represents an AWS Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree
+ awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly value true will force the readOnly setting in VolumeMounts.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: boolean
+ volumeID:
+ description: |-
+ volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ description: |-
+ azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.
+ Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type
+ are redirected to the disk.csi.azure.com CSI driver.
+ properties:
+ cachingMode:
+ description: 'cachingMode is the Host Caching
+ mode: None, Read Only, Read Write.'
+ type: string
+ diskName:
+ description: diskName is the Name of the
+ data disk in the blob storage
+ type: string
+ diskURI:
+ description: diskURI is the URI of data
+ disk in the blob storage
+ type: string
+ fsType:
+ default: ext4
+ description: |-
+ fsType is Filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ kind:
+ description: 'kind expected values are Shared:
+ multiple blob disks per storage account Dedicated:
+ single blob disk per storage account Managed:
+ azure managed data disk (only in managed
+ availability set). defaults to shared'
+ type: string
+ readOnly:
+ default: false
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ description: |-
+ azureFile represents an Azure File Service mount on the host and bind mount to the pod.
+ Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type
+ are redirected to the file.csi.azure.com CSI driver.
+ properties:
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretName:
+ description: secretName is the name of
+ secret that contains Azure Storage Account
+ Name and Key
+ type: string
+ shareName:
+ description: shareName is the azure share
+ Name
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ description: |-
+ cephFS represents a Ceph FS mount on the host that shares a pod's lifetime.
+ Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported.
+ properties:
+ monitors:
+ description: |-
+ monitors is Required: Monitors is a collection of Ceph monitors
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: 'path is Optional: Used as
+ the mounted root, rather than the full
+ Ceph tree, default is /'
+ type: string
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: boolean
+ secretFile:
+ description: |-
+ secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ secretRef:
+ description: |-
+ secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ description: |-
+ user is optional: User is the rados user name, default is admin
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ description: |-
+ cinder represents a cinder volume attached and mounted on kubelets host machine.
+ Deprecated: Cinder is deprecated. All operations for the in-tree cinder type
+ are redirected to the cinder.csi.openstack.org CSI driver.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is optional: points to a secret object containing parameters used to connect
+ to OpenStack.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ description: |-
+ volumeID used to identify the volume in cinder.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ description: configMap represents a configMap
+ that should populate this volume
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional specify whether the
+ ConfigMap or its keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ description: csi (Container Storage Interface)
+ represents ephemeral storage that is handled
+ by certain external CSI drivers.
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ description: downwardAPI represents downward
+ API about the pod that should populate this
+ volume
+ properties:
+ defaultMode:
+ description: |-
+ Optional: mode bits to use on created files by default. Must be a
+ Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: Items is a list of downward
+ API volume file
+ items:
+ description: DownwardAPIVolumeFile represents
+ information to create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required: Selects a
+ field of the pod: only annotations,
+ labels, name, namespace and uid
+ are supported.'
+ properties:
+ apiVersion:
+ description: Version of the schema
+ the FieldPath is written in
+ terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field
+ to select in the specified API
+ version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required: Path is the
+ relative path name of the file to
+ be created. Must not be absolute
+ or contain the ''..'' path. Must
+ be utf-8 encoded. The first item
+ of the relative path must not start
+ with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name:
+ required for volumes, optional
+ for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output
+ format of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource
+ to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ description: |-
+ emptyDir represents a temporary directory that shares a pod's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ description: |-
+ ephemeral represents a volume that is handled by a cluster storage driver.
+ The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+ and deleted when the pod is removed.
+
+ Use this if:
+ a) the volume is only needed while the pod runs,
+ b) features of normal volumes like restoring from snapshot or capacity
+ tracking are needed,
+ c) the storage driver is specified through a storage class, and
+ d) the storage driver supports dynamic volume provisioning through
+ a PersistentVolumeClaim (see EphemeralVolumeSource for more
+ information on the connection between this volume type
+ and PersistentVolumeClaim).
+
+ Use PersistentVolumeClaim or one of the vendor-specific
+ APIs for volumes that persist for longer than the lifecycle
+ of an individual pod.
+
+ Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+ be used that way - see the documentation of the driver for
+ more information.
+
+ A pod can use both types of ephemeral volumes and
+ persistent volumes at the same time.
+ properties:
+ volumeClaimTemplate:
+ description: |-
+ Will be used to create a stand-alone PVC to provision the volume.
+ The pod in which this EphemeralVolumeSource is embedded will be the
+ owner of the PVC, i.e. the PVC will be deleted together with the
+ pod. The name of the PVC will be `-` where
+ `` is the name from the `PodSpec.Volumes` array
+ entry. Pod validation will reject the pod if the concatenated name
+ is not valid for a PVC (for example, too long).
+
+ An existing PVC with that name that is not owned by the pod
+ will *not* be used for the pod to avoid using an unrelated
+ volume by mistake. Starting the pod is then blocked until
+ the unrelated PVC is removed. If such a pre-created PVC is
+ meant to be used by the pod, the PVC has to updated with an
+ owner reference to the pod once the pod exists. Normally
+ this should not be necessary, but it may be useful when
+ manually reconstructing a broken cluster.
+
+ This field is read-only and no changes will be made by Kubernetes
+ to the PVC after it has been created.
+
+ Required, must not be nil.
+ properties:
+ metadata:
+ description: |-
+ May contain labels and annotations that will be copied into the PVC
+ when creating it. No other fields are allowed and will be rejected during
+ validation.
+ type: object
+ spec:
+ description: |-
+ The specification for the PersistentVolumeClaim. The entire content is
+ copied unchanged into the PVC that gets created from this
+ template. The same fields as in a PersistentVolumeClaim
+ are also valid here.
+ properties:
+ accessModes:
+ description: |-
+ accessModes contains the desired access modes the volume should have.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ description: |-
+ dataSource field can be used to specify either:
+ * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+ * An existing PVC (PersistentVolumeClaim)
+ If the provisioner or an external controller can support the specified data source,
+ it will create a new volume based on the contents of the specified data source.
+ When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+ and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+ If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type
+ of resource being referenced
+ type: string
+ name:
+ description: Name is the name
+ of resource being referenced
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ description: |-
+ dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+ volume is desired. This may be any object from a non-empty API group (non
+ core object) or a PersistentVolumeClaim object.
+ When this field is specified, volume binding will only succeed if the type of
+ the specified object matches some installed volume populator or dynamic
+ provisioner.
+ This field will replace the functionality of the dataSource field and as such
+ if both fields are non-empty, they must have the same value. For backwards
+ compatibility, when namespace isn't specified in dataSourceRef,
+ both fields (dataSource and dataSourceRef) will be set to the same
+ value automatically if one of them is empty and the other is non-empty.
+ When namespace is specified in dataSourceRef,
+ dataSource isn't set to the same value and must be empty.
+ There are three important differences between dataSource and dataSourceRef:
+ * While dataSource only allows two specific types of objects, dataSourceRef
+ allows any non-core object, as well as PersistentVolumeClaim objects.
+ * While dataSource ignores disallowed values (dropping them), dataSourceRef
+ preserves all values, and generates an error if a disallowed value is
+ specified.
+ * While dataSource only allows local objects, dataSourceRef allows objects
+ in any namespaces.
+ (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+ (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type
+ of resource being referenced
+ type: string
+ name:
+ description: Name is the name
+ of resource being referenced
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of resource being referenced
+ Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+ (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ description: |-
+ resources represents the minimum resources the volume should have.
+ Users are allowed to specify resource requirements
+ that are lower than previous value but must still be higher than capacity recorded in the
+ status field of the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ selector:
+ description: selector is a label
+ query over volumes to consider
+ for binding.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ description: |-
+ storageClassName is the name of the StorageClass required by the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string or nil value indicates that no
+ VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state,
+ this field can be reset to its previous value (including nil) to cancel the modification.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ type: string
+ volumeMode:
+ description: |-
+ volumeMode defines what type of volume is required by the claim.
+ Value of Filesystem is implied when not included in claim spec.
+ type: string
+ volumeName:
+ description: volumeName is the binding
+ reference to the PersistentVolume
+ backing this claim.
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ description: fc represents a Fibre Channel resource
+ that is attached to a kubelet's host machine
+ and then exposed to the pod.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ lun:
+ description: 'lun is Optional: FC target
+ lun number'
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ targetWWNs:
+ description: 'targetWWNs is Optional: FC
+ target worldwide names (WWNs)'
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ description: |-
+ wwids Optional: FC volume world wide identifiers (wwids)
+ Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ description: |-
+ flexVolume represents a generic volume resource that is
+ provisioned/attached using an exec based plugin.
+ Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead.
+ properties:
+ driver:
+ description: driver is the name of the driver
+ to use for this volume.
+ type: string
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ description: 'options is Optional: this
+ field holds extra command options if any.'
+ type: object
+ readOnly:
+ description: |-
+ readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is Optional: secretRef is reference to the secret object containing
+ sensitive information to pass to the plugin scripts. This may be
+ empty if no secret object is specified. If the secret object
+ contains more than one secret, all secrets are passed to the plugin
+ scripts.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ description: |-
+ flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running.
+ Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported.
+ properties:
+ datasetName:
+ description: |-
+ datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+ should be considered as deprecated
+ type: string
+ datasetUUID:
+ description: datasetUUID is the UUID of
+ the dataset. This is unique identifier
+ of a Flocker dataset
+ type: string
+ type: object
+ gcePersistentDisk:
+ description: |-
+ gcePersistentDisk represents a GCE Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree
+ gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ format: int32
+ type: integer
+ pdName:
+ description: |-
+ pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ description: |-
+ gitRepo represents a git repository at a particular revision.
+ Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an
+ EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+ into the Pod's container.
+ properties:
+ directory:
+ description: |-
+ directory is the target directory name.
+ Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
+ git repository. Otherwise, if specified, the volume will contain the git repository in
+ the subdirectory with the given name.
+ type: string
+ repository:
+ description: repository is the URL
+ type: string
+ revision:
+ description: revision is the commit hash
+ for the specified revision.
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ description: |-
+ glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported.
+ properties:
+ endpoints:
+ description: endpoints is the endpoint name
+ that details Glusterfs topology.
+ type: string
+ path:
+ description: |-
+ path is the Glusterfs volume path.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ description: |-
+ hostPath represents a pre-existing file or directory on the host
+ machine that is directly exposed to the container. This is generally
+ used for system agents or other privileged things that are allowed
+ to see the host machine. Most containers will NOT need this.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ properties:
+ path:
+ description: |-
+ path of the directory on the host.
+ If the path is a symlink, it will follow the link to the real path.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ type:
+ description: |-
+ type for HostPath Volume
+ Defaults to ""
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ required:
+ - path
+ type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33.
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
+ iscsi:
+ description: |-
+ iscsi represents an ISCSI Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi
+ properties:
+ chapAuthDiscovery:
+ description: chapAuthDiscovery defines whether
+ support iSCSI Discovery CHAP authentication
+ type: boolean
+ chapAuthSession:
+ description: chapAuthSession defines whether
+ support iSCSI Session CHAP authentication
+ type: boolean
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+ type: string
+ initiatorName:
+ description: |-
+ initiatorName is the custom iSCSI Initiator Name.
+ If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+ : will be created for the connection.
+ type: string
+ iqn:
+ description: iqn is the target iSCSI Qualified
+ Name.
+ type: string
+ iscsiInterface:
+ default: default
+ description: |-
+ iscsiInterface is the interface Name that uses an iSCSI transport.
+ Defaults to 'default' (tcp).
+ type: string
+ lun:
+ description: lun represents iSCSI Target
+ Lun number.
+ format: int32
+ type: integer
+ portals:
+ description: |-
+ portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ type: boolean
+ secretRef:
+ description: secretRef is the CHAP Secret
+ for iSCSI target and initiator authentication
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ description: |-
+ targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ description: |-
+ name of the volume.
+ Must be a DNS_LABEL and unique within the pod.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ nfs:
+ description: |-
+ nfs represents an NFS mount on the host that shares a pod's lifetime
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ properties:
+ path:
+ description: |-
+ path that is exported by the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the NFS export to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: boolean
+ server:
+ description: |-
+ server is the hostname or IP address of the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ description: |-
+ persistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ description: |-
+ photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine.
+ Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ pdID:
+ description: pdID is the ID that identifies
+ Photon Controller persistent disk
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ description: |-
+ portworxVolume represents a portworx volume attached and mounted on kubelets host machine.
+ Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type
+ are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate
+ is on.
+ properties:
+ fsType:
+ description: |-
+ fSType represents the filesystem type to mount
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ volumeID:
+ description: volumeID uniquely identifies
+ a Portworx volume
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ description: projected items for all in one
+ resources secrets, configmaps, and downward
+ API
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from
+ the volume root to write the
+ bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ description: configMap information
+ about the configMap data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key
+ to a path within a volume.
+ properties:
+ key:
+ description: key is the
+ key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional specify
+ whether the ConfigMap or its
+ keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information
+ about the downwardAPI data to project
+ properties:
+ items:
+ description: Items is a list of
+ DownwardAPIVolume file
+ items:
+ description: DownwardAPIVolumeFile
+ represents information to
+ create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required:
+ Selects a field of the
+ pod: only annotations,
+ labels, name, namespace
+ and uid are supported.'
+ properties:
+ apiVersion:
+ description: Version
+ of the schema the
+ FieldPath is written
+ in terms of, defaults
+ to "v1".
+ type: string
+ fieldPath:
+ description: Path of
+ the field to select
+ in the specified API
+ version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required:
+ Path is the relative
+ path name of the file
+ to be created. Must not
+ be absolute or contain
+ the ''..'' path. Must
+ be utf-8 encoded. The
+ first item of the relative
+ path must not start with
+ ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container
+ name: required for
+ volumes, optional
+ for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies
+ the output format
+ of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required:
+ resource to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podCertificate:
+ description: |-
+ Projects an auto-rotating credential bundle (private key and certificate
+ chain) that the pod can use either as a TLS client or server.
+
+ Kubelet generates a private key and uses it to send a
+ PodCertificateRequest to the named signer. Once the signer approves the
+ request and issues a certificate chain, Kubelet writes the key and
+ certificate chain to the pod filesystem. The pod does not start until
+ certificates have been issued for each podCertificate projected volume
+ source in its spec.
+
+ Kubelet will begin trying to rotate the certificate at the time indicated
+ by the signer using the PodCertificateRequest.Status.BeginRefreshAt
+ timestamp.
+
+ Kubelet can write a single file, indicated by the credentialBundlePath
+ field, or separate files, indicated by the keyPath and
+ certificateChainPath fields.
+
+ The credential bundle is a single file in PEM format. The first PEM
+ entry is the private key (in PKCS#8 format), and the remaining PEM
+ entries are the certificate chain issued by the signer (typically,
+ signers will return their certificate chain in leaf-to-root order).
+
+ Prefer using the credential bundle format, since your application code
+ can read it atomically. If you use keyPath and certificateChainPath,
+ your application must make two separate file reads. If these coincide
+ with a certificate rotation, it is possible that the private key and leaf
+ certificate you read may not correspond to each other. Your application
+ will need to check for this condition, and re-read until they are
+ consistent.
+
+ The named signer controls chooses the format of the certificate it
+ issues; consult the signer implementation's documentation to learn how to
+ use the certificates it issues.
+ properties:
+ certificateChainPath:
+ description: |-
+ Write the certificate chain at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ credentialBundlePath:
+ description: |-
+ Write the credential bundle at this path in the projected volume.
+
+ The credential bundle is a single file that contains multiple PEM blocks.
+ The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private
+ key.
+
+ The remaining blocks are CERTIFICATE blocks, containing the issued
+ certificate chain from the signer (leaf and any intermediates).
+
+ Using credentialBundlePath lets your Pod's application code make a single
+ atomic read that retrieves a consistent key and certificate chain. If you
+ project them to separate files, your application code will need to
+ additionally check that the leaf certificate was issued to the key.
+ type: string
+ keyPath:
+ description: |-
+ Write the key at this path in the projected volume.
+
+ Most applications should use credentialBundlePath. When using keyPath
+ and certificateChainPath, your application needs to check that the key
+ and leaf certificate are consistent, because it is possible to read the
+ files mid-rotation.
+ type: string
+ keyType:
+ description: |-
+ The type of keypair Kubelet will generate for the pod.
+
+ Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384",
+ "ECDSAP521", and "ED25519".
+ type: string
+ maxExpirationSeconds:
+ description: |-
+ maxExpirationSeconds is the maximum lifetime permitted for the
+ certificate.
+
+ Kubelet copies this value verbatim into the PodCertificateRequests it
+ generates for this projection.
+
+ If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
+ will reject values shorter than 3600 (1 hour). The maximum allowable
+ value is 7862400 (91 days).
+
+ The signer implementation is then free to issue a certificate with any
+ lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
+ seconds (1 hour). This constraint is enforced by kube-apiserver.
+ `kubernetes.io` signers will never issue certificates with a lifetime
+ longer than 24 hours.
+ format: int32
+ type: integer
+ signerName:
+ description: Kubelet's generated
+ CSRs will be addressed to this
+ signer.
+ type: string
+ userAnnotations:
+ additionalProperties:
+ type: string
+ description: |-
+ userAnnotations allow pod authors to pass additional information to
+ the signer implementation. Kubernetes does not restrict or validate this
+ metadata in any way.
+
+ These values are copied verbatim into the `spec.unverifiedUserAnnotations` field of
+ the PodCertificateRequest objects that Kubelet creates.
+
+ Entries are subject to the same validation as object metadata annotations,
+ with the addition that all keys must be domain-prefixed. No restrictions
+ are placed on values, except an overall size limitation on the entire field.
+
+ Signers should document the keys and values they support. Signers should
+ deny requests that contain keys they do not recognize.
+ type: object
+ required:
+ - keyType
+ - signerName
+ type: object
+ secret:
+ description: secret information about
+ the secret data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key
+ to a path within a volume.
+ properties:
+ key:
+ description: key is the
+ key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional field specify
+ whether the Secret or its key
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is
+ information about the serviceAccountToken
+ data to project
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ format: int64
+ type: integer
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ description: |-
+ quobyte represents a Quobyte mount on the host that shares a pod's lifetime.
+ Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported.
+ properties:
+ group:
+ description: |-
+ group to map volume access to
+ Default is no group
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+ Defaults to false.
+ type: boolean
+ registry:
+ description: |-
+ registry represents a single or multiple Quobyte Registry services
+ specified as a string as host:port pair (multiple entries are separated with commas)
+ which acts as the central registry for volumes
+ type: string
+ tenant:
+ description: |-
+ tenant owning the given Quobyte volume in the Backend
+ Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+ type: string
+ user:
+ description: |-
+ user to map volume access to
+ Defaults to serivceaccount user
+ type: string
+ volume:
+ description: volume is a string that references
+ an already created Quobyte volume by name.
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ description: |-
+ rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+ type: string
+ image:
+ description: |-
+ image is the rados image name.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ keyring:
+ default: /etc/ceph/keyring
+ description: |-
+ keyring is the path to key ring for RBDUser.
+ Default is /etc/ceph/keyring.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ monitors:
+ description: |-
+ monitors is a collection of Ceph monitors.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ default: rbd
+ description: |-
+ pool is the rados pool name.
+ Default is rbd.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is name of the authentication secret for RBDUser. If provided
+ overrides keyring.
+ Default is nil.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ default: admin
+ description: |-
+ user is the rados user name.
+ Default is admin.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ description: |-
+ scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes.
+ Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported.
+ properties:
+ fsType:
+ default: xfs
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs".
+ Default is "xfs".
+ type: string
+ gateway:
+ description: gateway is the host address
+ of the ScaleIO API Gateway.
+ type: string
+ protectionDomain:
+ description: protectionDomain is the name
+ of the ScaleIO Protection Domain for the
+ configured storage.
+ type: string
+ readOnly:
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef references to the secret for ScaleIO user and other
+ sensitive information. If this is not provided, Login operation will fail.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ description: sslEnabled Flag enable/disable
+ SSL communication with Gateway, default
+ false
+ type: boolean
+ storageMode:
+ default: ThinProvisioned
+ description: |-
+ storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+ Default is ThinProvisioned.
+ type: string
+ storagePool:
+ description: storagePool is the ScaleIO
+ Storage Pool associated with the protection
+ domain.
+ type: string
+ system:
+ description: system is the name of the storage
+ system as configured in ScaleIO.
+ type: string
+ volumeName:
+ description: |-
+ volumeName is the name of a volume already created in the ScaleIO system
+ that is associated with this volume source.
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ description: |-
+ secret represents a secret that should populate this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether
+ the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ type: object
+ storageos:
+ description: |-
+ storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes.
+ Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef specifies the secret to use for obtaining the StorageOS API
+ credentials. If not specified, default values will be attempted.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ description: |-
+ volumeName is the human-readable name of the StorageOS volume. Volume
+ names are only unique within a namespace.
+ type: string
+ volumeNamespace:
+ description: |-
+ volumeNamespace specifies the scope of the volume within StorageOS. If no
+ namespace is specified then the Pod's namespace will be used. This allows the
+ Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+ Set VolumeName to any name to override the default behaviour.
+ Set to "default" if you are not using namespaces within StorageOS.
+ Namespaces that do not pre-exist within StorageOS will be created.
+ type: string
+ type: object
+ vsphereVolume:
+ description: |-
+ vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine.
+ Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type
+ are redirected to the csi.vsphere.vmware.com CSI driver.
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ storagePolicyID:
+ description: storagePolicyID is the storage
+ Policy Based Management (SPBM) profile
+ ID associated with the StoragePolicyName.
+ type: string
+ storagePolicyName:
+ description: storagePolicyName is the storage
+ Policy Based Management (SPBM) profile
+ name.
+ type: string
+ volumePath:
+ description: volumePath is the path that
+ identifies vSphere volume vmdk
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ replicas:
+ description: Replicas is the number of desired pods. Defaults
+ to 1.
+ format: int32
+ type: integer
+ strategy:
+ description: The deployment strategy to use to replace
+ existing pods with new ones.
+ properties:
+ rollingUpdate:
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of deployment. Can be "Recreate"
+ or "RollingUpdate". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ envoyHpa:
+ description: EnvoyHpa defines the Horizontal Pod Autoscaler
+ settings for Envoy Proxy Deployment.
+ properties:
+ behavior:
+ description: |-
+ behavior configures the scaling behavior of the target
+ in both Up and Down directions (scaleUp and scaleDown fields respectively).
+ If not set, the default HPAScalingRules for scale up and scale down are used.
+ See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior.
+ properties:
+ scaleDown:
+ description: |-
+ scaleDown is scaling policy for scaling Down.
+ If not set, the default value is to allow to scale down to minReplicas pods, with a
+ 300 second stabilization window (i.e., the highest recommendation for
+ the last 300sec is used).
+ properties:
+ policies:
+ description: |-
+ policies is a list of potential scaling polices which can be used during scaling.
+ If not set, use the default values:
+ - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+ - For scale down: allow all pods to be removed in a 15s window.
+ items:
+ description: HPAScalingPolicy is a single policy
+ which must hold true for a specified past
+ interval.
+ properties:
+ periodSeconds:
+ description: |-
+ periodSeconds specifies the window of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+ format: int32
+ type: integer
+ type:
+ description: type is used to specify the
+ scaling policy.
+ type: string
+ value:
+ description: |-
+ value contains the amount of change which is permitted by the policy.
+ It must be greater than zero
+ format: int32
+ type: integer
+ required:
+ - periodSeconds
+ - type
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ selectPolicy:
+ description: |-
+ selectPolicy is used to specify which policy should be used.
+ If not set, the default value Max is used.
+ type: string
+ stabilizationWindowSeconds:
+ description: |-
+ stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+ considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+ If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+ format: int32
+ type: integer
+ tolerance:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ tolerance is the tolerance on the ratio between the current and desired
+ metric value under which no updates are made to the desired number of
+ replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+ set, the default cluster-wide tolerance is applied (by default 10%).
+
+ For example, if autoscaling is configured with a memory consumption target of 100Mi,
+ and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+ triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+ This is an beta field and requires the HPAConfigurableTolerance feature
+ gate to be enabled.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ scaleUp:
+ description: |-
+ scaleUp is scaling policy for scaling Up.
+ If not set, the default value is the higher of:
+ * increase no more than 4 pods per 60 seconds
+ * double the number of pods per 60 seconds
+ No stabilization is used.
+ properties:
+ policies:
+ description: |-
+ policies is a list of potential scaling polices which can be used during scaling.
+ If not set, use the default values:
+ - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window.
+ - For scale down: allow all pods to be removed in a 15s window.
+ items:
+ description: HPAScalingPolicy is a single policy
+ which must hold true for a specified past
+ interval.
+ properties:
+ periodSeconds:
+ description: |-
+ periodSeconds specifies the window of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
+ format: int32
+ type: integer
+ type:
+ description: type is used to specify the
+ scaling policy.
+ type: string
+ value:
+ description: |-
+ value contains the amount of change which is permitted by the policy.
+ It must be greater than zero
+ format: int32
+ type: integer
+ required:
+ - periodSeconds
+ - type
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ selectPolicy:
+ description: |-
+ selectPolicy is used to specify which policy should be used.
+ If not set, the default value Max is used.
+ type: string
+ stabilizationWindowSeconds:
+ description: |-
+ stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+ considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+ If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
+ format: int32
+ type: integer
+ tolerance:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ tolerance is the tolerance on the ratio between the current and desired
+ metric value under which no updates are made to the desired number of
+ replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not
+ set, the default cluster-wide tolerance is applied (by default 10%).
+
+ For example, if autoscaling is configured with a memory consumption target of 100Mi,
+ and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be
+ triggered when the actual consumption falls below 95Mi or exceeds 101Mi.
+
+ This is an beta field and requires the HPAConfigurableTolerance feature
+ gate to be enabled.
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ maxReplicas:
+ description: |-
+ maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+ It cannot be less that minReplicas.
+ format: int32
+ type: integer
+ x-kubernetes-validations:
+ - message: maxReplicas must be greater than 0
+ rule: self > 0
+ metrics:
+ description: |-
+ metrics contains the specifications for which to use to calculate the
+ desired replica count (the maximum replica count across all metrics will
+ be used).
+ If left empty, it defaults to being based on CPU utilization with average on 80% usage.
+ items:
+ description: |-
+ MetricSpec specifies how to scale based on a single metric
+ (only `type` and one other matching field should be set at once).
+ properties:
+ containerResource:
+ description: |-
+ containerResource refers to a resource metric (such as those specified in
+ requests and limits) known to Kubernetes describing a single container in
+ each pod of the current scale target (e.g. CPU or memory). Such metrics are
+ built in to Kubernetes, and have special scaling options on top of those
+ available to normal per-pod metrics using the "pods" source.
+ properties:
+ container:
+ description: container is the name of the container
+ in the pods of the scaling target
+ type: string
+ name:
+ description: name is the name of the resource
+ in question.
+ type: string
+ target:
+ description: target specifies the target value
+ for the given metric
+ properties:
+ averageUtilization:
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ description: type represents whether the
+ metric type is Utilization, Value, or
+ AverageValue
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ description: value is the target value of
+ the metric (as a quantity).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - container
+ - name
+ - target
+ type: object
+ external:
+ description: |-
+ external refers to a global metric that is not associated
+ with any Kubernetes object. It allows autoscaling based on information
+ coming from components running outside of cluster
+ (for example length of queue in cloud messaging service, or
+ QPS from loadbalancer running outside of cluster).
+ properties:
+ metric:
+ description: metric identifies the target metric
+ by name and selector
+ properties:
+ name:
+ description: name is the name of the given
+ metric
+ type: string
+ selector:
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ description: target specifies the target value
+ for the given metric
+ properties:
+ averageUtilization:
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ description: type represents whether the
+ metric type is Utilization, Value, or
+ AverageValue
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ description: value is the target value of
+ the metric (as a quantity).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ object:
+ description: |-
+ object refers to a metric describing a single kubernetes object
+ (for example, hits-per-second on an Ingress object).
+ properties:
+ describedObject:
+ description: describedObject specifies the descriptions
+ of a object,such as kind,name apiVersion
+ properties:
+ apiVersion:
+ description: apiVersion is the API version
+ of the referent
+ type: string
+ kind:
+ description: 'kind is the kind of the referent;
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'name is the name of the referent;
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ metric:
+ description: metric identifies the target metric
+ by name and selector
+ properties:
+ name:
+ description: name is the name of the given
+ metric
+ type: string
+ selector:
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ description: target specifies the target value
+ for the given metric
+ properties:
+ averageUtilization:
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ description: type represents whether the
+ metric type is Utilization, Value, or
+ AverageValue
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ description: value is the target value of
+ the metric (as a quantity).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - describedObject
+ - metric
+ - target
+ type: object
+ pods:
+ description: |-
+ pods refers to a metric describing each pod in the current scale target
+ (for example, transactions-processed-per-second). The values will be
+ averaged together before being compared to the target value.
+ properties:
+ metric:
+ description: metric identifies the target metric
+ by name and selector
+ properties:
+ name:
+ description: name is the name of the given
+ metric
+ type: string
+ selector:
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - name
+ type: object
+ target:
+ description: target specifies the target value
+ for the given metric
+ properties:
+ averageUtilization:
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ description: type represents whether the
+ metric type is Utilization, Value, or
+ AverageValue
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ description: value is the target value of
+ the metric (as a quantity).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - metric
+ - target
+ type: object
+ resource:
+ description: |-
+ resource refers to a resource metric (such as those specified in
+ requests and limits) known to Kubernetes describing each pod in the
+ current scale target (e.g. CPU or memory). Such metrics are built in to
+ Kubernetes, and have special scaling options on top of those available
+ to normal per-pod metrics using the "pods" source.
+ properties:
+ name:
+ description: name is the name of the resource
+ in question.
+ type: string
+ target:
+ description: target specifies the target value
+ for the given metric
+ properties:
+ averageUtilization:
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
+ format: int32
+ type: integer
+ averageValue:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type:
+ description: type represents whether the
+ metric type is Utilization, Value, or
+ AverageValue
+ type: string
+ value:
+ anyOf:
+ - type: integer
+ - type: string
+ description: value is the target value of
+ the metric (as a quantity).
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ required:
+ - type
+ type: object
+ required:
+ - name
+ - target
+ type: object
+ type:
+ description: |-
+ type is the type of metric source. It should be one of "ContainerResource", "External",
+ "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+ type: string
+ required:
+ - type
+ type: object
+ type: array
+ minReplicas:
+ description: |-
+ minReplicas is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 replica.
+ format: int32
+ type: integer
+ x-kubernetes-validations:
+ - message: minReplicas must be greater than 0
+ rule: self > 0
+ name:
+ description: |-
+ Name of the horizontalPodAutoScaler.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ patch:
+ description: Patch defines how to perform the patch operation
+ to the HorizontalPodAutoscaler
+ properties:
+ type:
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
+ required:
+ - maxReplicas
+ type: object
+ x-kubernetes-validations:
+ - message: maxReplicas cannot be less than minReplicas
+ rule: '!has(self.minReplicas) || self.maxReplicas >= self.minReplicas'
+ envoyPDB:
+ description: EnvoyPDB allows to control the pod disruption
+ budget of an Envoy Proxy.
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ MaxUnavailable specifies the maximum amount of pods (can be expressed as integers or as a percentage) that can be unavailable at all times during voluntary disruptions,
+ such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
+ and resilience during maintenance operations. Cannot be combined with minAvailable.
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ MinAvailable specifies the minimum amount of pods (can be expressed as integers or as a percentage) that must be available at all times during voluntary disruptions,
+ such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
+ and resilience during maintenance operations. Cannot be combined with maxUnavailable.
+ x-kubernetes-int-or-string: true
+ name:
+ description: |-
+ Name of the podDisruptionBudget.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ patch:
+ description: Patch defines how to perform the patch operation
+ to the PodDisruptionBudget
+ properties:
+ type:
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: only one of minAvailable or maxUnavailable can
+ be specified
+ rule: (has(self.minAvailable) && !has(self.maxUnavailable))
+ || (!has(self.minAvailable) && has(self.maxUnavailable))
+ envoyService:
+ description: |-
+ EnvoyService defines the desired state of the Envoy service resource.
+ If unspecified, default settings for the managed Envoy service resource
+ are applied.
+ properties:
+ allocateLoadBalancerNodePorts:
+ description: |-
+ AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
+ services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
+ load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
+ value), those requests will be respected, regardless of this field. This field may only be set for
+ services with type LoadBalancer and will be cleared if the type is changed to any other type.
+ type: boolean
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations that should be appended to the service.
+ By default, no annotations are appended.
+ type: object
+ externalTrafficPolicy:
+ default: Local
+ description: |-
+ ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
+ are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
+ receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster.
+ enum:
+ - Local
+ - Cluster
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels that should be appended to the service.
+ By default, no labels are appended.
+ type: object
+ loadBalancerClass:
+ description: |-
+ LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
+ implementation if more than one are available or is otherwise expected to be specified
+ type: string
+ loadBalancerIP:
+ description: |-
+ LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
+ may be ignored if the load balancer provider does not support this feature.
+ This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
+ providers such as GCP.
+ type: string
+ x-kubernetes-validations:
+ - message: loadBalancerIP must be a valid IPv4 address
+ rule: self.matches(r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
+ loadBalancerSourceRanges:
+ description: |-
+ LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
+ firewall rules on the platform providers load balancer. This is not guaranteed to be working as
+ it happens outside of kubernetes and has to be supported and handled by the platform provider.
+ This field may only be set for services with type LoadBalancer and will be cleared if the type
+ is changed to any other type.
+ items:
+ type: string
+ type: array
+ name:
+ description: |-
+ Name of the service.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ patch:
+ description: Patch defines how to perform the patch operation
+ to the service
+ properties:
+ type:
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
+ type:
+ default: LoadBalancer
+ description: |-
+ Type determines how the Service is exposed. Defaults to LoadBalancer.
+ Valid options are ClusterIP, LoadBalancer and NodePort.
+ "LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
+ "ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
+ "NodePort" means a service will be exposed on a static Port on all Nodes of the cluster.
+ enum:
+ - ClusterIP
+ - LoadBalancer
+ - NodePort
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: allocateLoadBalancerNodePorts can only be set for
+ LoadBalancer type
+ rule: '!has(self.allocateLoadBalancerNodePorts) || self.type
+ == ''LoadBalancer'''
+ - message: loadBalancerSourceRanges can only be set for LoadBalancer
+ type
+ rule: '!has(self.loadBalancerSourceRanges) || self.type
+ == ''LoadBalancer'''
+ - message: loadBalancerIP can only be set for LoadBalancer
+ type
+ rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ envoyServiceAccount:
+ description: EnvoyServiceAccount defines the desired state
+ of the Envoy service account resource.
+ properties:
+ name:
+ description: |-
+ Name of the Service Account.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ type: object
+ useListenerPortAsContainerPort:
+ description: |-
+ UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
+ When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
+ This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability.
+ type: boolean
+ type: object
+ x-kubernetes-validations:
+ - message: only one of envoyDeployment or envoyDaemonSet can be
+ specified
+ rule: ((has(self.envoyDeployment) && !has(self.envoyDaemonSet))
+ || (!has(self.envoyDeployment) && has(self.envoyDaemonSet)))
+ || (!has(self.envoyDeployment) && !has(self.envoyDaemonSet))
+ - message: cannot use envoyHpa if envoyDaemonSet is used
+ rule: ((has(self.envoyHpa) && !has(self.envoyDaemonSet)) ||
+ (!has(self.envoyHpa) && has(self.envoyDaemonSet))) || (!has(self.envoyHpa)
+ && !has(self.envoyDaemonSet))
+ type:
+ description: |-
+ Type is the type of resource provider to use. A resource provider provides
+ infrastructure resources for running the data plane, e.g. Envoy proxy, and
+ optional auxiliary control planes. Supported types are "Kubernetes"and "Host".
+ enum:
+ - Kubernetes
+ - Host
+ type: string
+ required:
+ - type
+ type: object
+ routingType:
+ description: |-
+ RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
+ or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint".
+ type: string
+ shutdown:
+ description: Shutdown defines configuration for graceful envoy shutdown
+ process.
+ properties:
+ drainTimeout:
+ description: |-
+ DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
+ If unspecified, defaults to 60 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ minDrainDuration:
+ description: |-
+ MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
+ If unspecified, defaults to 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ telemetry:
+ description: Telemetry defines telemetry parameters for managed proxies.
+ properties:
+ accessLog:
+ description: |-
+ AccessLogs defines accesslog parameters for managed proxies.
+ If unspecified, will send default format to stdout.
+ properties:
+ disable:
+ description: Disable disables access logging for managed proxies
+ if set to true.
+ type: boolean
+ settings:
+ description: |-
+ Settings defines accesslog settings for managed proxies.
+ If unspecified, will send default format to stdout.
+ items:
+ properties:
+ format:
+ description: |-
+ Format defines the format of accesslog.
+ This will be ignored if sink type is ALS.
+ properties:
+ json:
+ additionalProperties:
+ type: string
+ description: |-
+ JSON is additional attributes that describe the specific event occurrence.
+ Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
+ can be used as values for fields within the Struct.
+ It's required when the format type is "JSON".
+ type: object
+ text:
+ description: |-
+ Text defines the text accesslog format, following Envoy accesslog formatting,
+ It's required when the format type is "Text".
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
+ type: string
+ type:
+ description: |-
+ Type defines the type of accesslog format.
+ When unset, both text and json can be specified.
+ enum:
+ - Text
+ - JSON
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: If AccessLogFormat type is Text, text field
+ needs to be set.
+ rule: 'has(self.type) && self.type == ''Text'' ? has(self.text)
+ : true'
+ - message: If AccessLogFormat type is Text, json field
+ must not be set.
+ rule: 'has(self.type) && self.type == ''Text'' ? !has(self.json)
+ : true'
+ - message: If AccessLogFormat type is JSON, json field
+ needs to be set.
+ rule: 'has(self.type) && self.type == ''JSON'' ? has(self.json)
+ : true'
+ - message: If AccessLogFormat type is JSON, text field
+ must not be set.
+ rule: 'has(self.type) && self.type == ''JSON'' ? !has(self.text)
+ : true'
+ - message: If AccessLogFormat type is unset, at least
+ one of text or json must be set.
+ rule: '!has(self.type) ? (has(self.text) || has(self.json))
+ : true'
+ matches:
+ description: |-
+ Matches defines the match conditions for accesslog in CEL expression.
+ An accesslog will be emitted only when one or more match conditions are evaluated to true.
+ Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored.
+ items:
+ type: string
+ maxItems: 10
+ type: array
+ sinks:
+ description: Sinks defines the sinks of accesslog.
+ items:
+ description: ProxyAccessLogSink defines the sink of
+ accesslog.
+ properties:
+ als:
+ description: ALS defines the gRPC Access Log Service
+ (ALS) sink.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the
+ referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of
+ connections that Envoy will establish
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of
+ parallel requests that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of
+ parallel retries that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of
+ pending requests that Envoy will
+ queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend
+ connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution
+ settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway
+ to perform active health checking on
+ backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold
+ defines the number of healthy
+ health checks required before
+ a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse
+ defines a list of HTTP expected
+ responses to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus
+ defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines
+ the HTTP path that will
+ be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between active health
+ checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines
+ the expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines
+ the request payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the
+ time to wait for a health check
+ response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the
+ type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold
+ defines the number of unhealthy
+ health checks required before
+ a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type
+ is HTTP, http field needs to be
+ set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type
+ is TCP, tcp field needs to be
+ set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only
+ be set if the Health Checker type
+ is GRPC.
+ rule: 'has(self.grpc) ? self.type
+ == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check
+ configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime
+ defines the base duration for
+ which a host will be ejected
+ on consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors
+ sets the number of consecutive
+ 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive
+ gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between passive health
+ checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent
+ sets the maximum percentage
+ of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors
+ between external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures
+ the cookie hash policy when
+ the consistent hash type is
+ set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures
+ the header hash policy for each
+ header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the
+ header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures
+ the query parameter hash policy
+ when the consistent hash type
+ is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the
+ query param to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for
+ consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type
+ is header, the header field must
+ be set.
+ rule: 'self.type == ''Header'' ?
+ has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is headers, the headers field
+ must be set.
+ rule: 'self.type == ''Headers''
+ ? has(self.headers) : !has(self.headers)'
+ - message: If consistent hash type
+ is cookie, the cookie field must
+ be set.
+ rule: 'self.type == ''Cookie'' ?
+ has(self.cookie) : !has(self.cookie)'
+ - message: If consistent hash type
+ is queryParams, the queryParams
+ field must be set.
+ rule: 'self.type == ''QueryParams''
+ ? has(self.queryParams) : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines
+ the sources to extract endpoint
+ override information from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract
+ endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the
+ configuration related to the distribution
+ of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer
+ sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold
+ is the minimum number of
+ total upstream endpoints
+ across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage
+ of requests that will be
+ considered for zone aware
+ routing if zone aware routing
+ is configured. If not specified,
+ Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash''
+ ? has(self.consistentHash) : !has(self.consistentHash)'
+ - message: Currently SlowStart is only
+ supported for RoundRobin and LeastRequest
+ load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only
+ supported for LeastRequest, Random,
+ and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash''
+ ? !has(self.zoneAware) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the
+ Proxy Protocol when communicating with
+ the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number
+ of retries to be attempted. Defaults
+ to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry
+ policy to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval
+ is the base interval between
+ retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies
+ the retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger
+ retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the
+ backend connections.
+ properties:
+ http:
+ description: Timeout settings for
+ HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is
+ the time until which entire
+ response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for
+ TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect
+ policy only works with RoundRobin or Random
+ load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'',
+ ''RoundRobin'']))'
+ http:
+ description: HTTP defines additional configuration
+ specific to HTTP access logs.
+ properties:
+ requestHeaders:
+ description: RequestHeaders defines request
+ headers to include in log entries sent
+ to the access log service.
+ items:
+ type: string
+ type: array
+ responseHeaders:
+ description: ResponseHeaders defines response
+ headers to include in log entries sent
+ to the access log service.
+ items:
+ type: string
+ type: array
+ responseTrailers:
+ description: ResponseTrailers defines
+ response trailers to include in log
+ entries sent to the access log service.
+ items:
+ type: string
+ type: array
+ type: object
+ logName:
+ description: |-
+ LogName defines the friendly name of the access log to be returned in
+ StreamAccessLogsMessage.Identifier. This allows the access log server
+ to differentiate between different access logs coming from the same Envoy.
+ minLength: 1
+ type: string
+ type:
+ description: Type defines the type of accesslog.
+ Supported types are "HTTP" and "TCP".
+ enum:
+ - HTTP
+ - TCP
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: The http field may only be set when
+ type is HTTP.
+ rule: self.type == 'HTTP' || !has(self.http)
+ - message: BackendRefs must be used, backendRef
+ is not supported.
+ rule: '!has(self.backendRef)'
+ - message: must have at least one backend in backendRefs
+ rule: has(self.backendRefs) && self.backendRefs.size()
+ > 0
+ - message: BackendRefs only support Service and
+ Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
+ f.kind == ''Service'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
+ file:
+ description: File defines the file accesslog sink.
+ properties:
+ path:
+ description: Path defines the file path used
+ to expose envoy access log(e.g. /dev/stdout).
+ minLength: 1
+ type: string
+ type: object
+ openTelemetry:
+ description: OpenTelemetry defines the OpenTelemetry
+ accesslog sink.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the
+ referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of
+ connections that Envoy will establish
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of
+ parallel requests that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of
+ parallel retries that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of
+ pending requests that Envoy will
+ queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend
+ connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution
+ settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway
+ to perform active health checking on
+ backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold
+ defines the number of healthy
+ health checks required before
+ a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse
+ defines a list of HTTP expected
+ responses to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus
+ defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines
+ the HTTP path that will
+ be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between active health
+ checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines
+ the expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines
+ the request payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the
+ time to wait for a health check
+ response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the
+ type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold
+ defines the number of unhealthy
+ health checks required before
+ a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type
+ is HTTP, http field needs to be
+ set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type
+ is TCP, tcp field needs to be
+ set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only
+ be set if the Health Checker type
+ is GRPC.
+ rule: 'has(self.grpc) ? self.type
+ == ''GRPC'' : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check
+ configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime
+ defines the base duration for
+ which a host will be ejected
+ on consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors
+ sets the number of consecutive
+ 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive
+ gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between passive health
+ checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent
+ sets the maximum percentage
+ of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors
+ between external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures
+ the cookie hash policy when
+ the consistent hash type is
+ set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures
+ the header hash policy for each
+ header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the
+ header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures
+ the query parameter hash policy
+ when the consistent hash type
+ is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the
+ query param to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for
+ consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type
+ is header, the header field must
+ be set.
+ rule: 'self.type == ''Header'' ?
+ has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is headers, the headers field
+ must be set.
+ rule: 'self.type == ''Headers''
+ ? has(self.headers) : !has(self.headers)'
+ - message: If consistent hash type
+ is cookie, the cookie field must
+ be set.
+ rule: 'self.type == ''Cookie'' ?
+ has(self.cookie) : !has(self.cookie)'
+ - message: If consistent hash type
+ is queryParams, the queryParams
+ field must be set.
+ rule: 'self.type == ''QueryParams''
+ ? has(self.queryParams) : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines
+ the sources to extract endpoint
+ override information from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract
+ endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the
+ configuration related to the distribution
+ of requests between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer
+ sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold
+ is the minimum number of
+ total upstream endpoints
+ across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage
+ of requests that will be
+ considered for zone aware
+ routing if zone aware routing
+ is configured. If not specified,
+ Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash''
+ ? has(self.consistentHash) : !has(self.consistentHash)'
+ - message: Currently SlowStart is only
+ supported for RoundRobin and LeastRequest
+ load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only
+ supported for LeastRequest, Random,
+ and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash''
+ ? !has(self.zoneAware) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the
+ Proxy Protocol when communicating with
+ the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number
+ of retries to be attempted. Defaults
+ to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry
+ policy to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval
+ is the base interval between
+ retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies
+ the retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger
+ retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the
+ backend connections.
+ properties:
+ http:
+ description: Timeout settings for
+ HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is
+ the time until which entire
+ response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for
+ TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect
+ policy only works with RoundRobin or Random
+ load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'',
+ ''RoundRobin'']))'
+ headers:
+ description: |-
+ Headers is a list of additional headers to send with OTLP export requests.
+ These headers are added as gRPC initial metadata for the OTLP gRPC service.
+ items:
+ description: HTTPHeader represents an HTTP
+ Header name and value as defined by RFC
+ 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP
+ Header to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 32
+ minItems: 1
+ type: array
+ host:
+ description: |-
+ Host define the extension service hostname.
+ Deprecated: Use BackendRefs instead.
+ type: string
+ port:
+ default: 4317
+ description: |-
+ Port defines the port the extension service is exposed on.
+ Deprecated: Use BackendRefs instead.
+ format: int32
+ minimum: 0
+ type: integer
+ resourceAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ ResourceAttributes is a set of labels that describe the source of a log entry, including envoy node info.
+ It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
+ type: object
+ resources:
+ additionalProperties:
+ type: string
+ description: |-
+ Resources is a set of labels that describe the source of a log entry, including envoy node info.
+ It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
+
+ Deprecated: Use ResourceAttributes instead.
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: host or backendRefs needs to be set
+ rule: has(self.host) || self.backendRefs.size()
+ > 0
+ - message: BackendRefs must be used, backendRef
+ is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only support Service and
+ Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
+ f.kind == ''Service'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
+ - message: either resources or resourceAttributes
+ can be set, not both
+ rule: '!has(self.resources) || !has(self.resourceAttributes)'
+ type:
+ description: Type defines the type of accesslog
+ sink.
+ enum:
+ - ALS
+ - File
+ - OpenTelemetry
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: If AccessLogSink type is ALS, als field
+ needs to be set.
+ rule: 'self.type == ''ALS'' ? has(self.als) : !has(self.als)'
+ - message: If AccessLogSink type is File, file field
+ needs to be set.
+ rule: 'self.type == ''File'' ? has(self.file) :
+ !has(self.file)'
+ - message: If AccessLogSink type is OpenTelemetry,
+ openTelemetry field needs to be set.
+ rule: 'self.type == ''OpenTelemetry'' ? has(self.openTelemetry)
+ : !has(self.openTelemetry)'
+ maxItems: 50
+ minItems: 1
+ type: array
+ type:
+ description: |-
+ Type defines the component emitting the accesslog, such as Listener and Route.
+ If type not defined, the setting would apply to:
+ (1) All Routes.
+ (2) Listeners if and only if Envoy does not find a matching route for a request.
+ If type is defined, the accesslog settings would apply to the relevant component (as-is).
+ enum:
+ - Listener
+ - Route
+ type: string
+ required:
+ - sinks
+ type: object
+ maxItems: 50
+ minItems: 1
+ type: array
+ type: object
+ metrics:
+ description: Metrics defines metrics configuration for managed
+ proxies.
+ properties:
+ clusterStatName:
+ description: |-
+ ClusterStatName defines the value of cluster alt_stat_name, determining how cluster stats are named.
+ For more details, see envoy docs: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html
+ The supported operators for this pattern are:
+ `%ROUTE_NAME%`: name of Gateway API xRoute resource
+ `%ROUTE_NAMESPACE%`: namespace of Gateway API xRoute resource
+ `%ROUTE_KIND%`: kind of Gateway API xRoute resource
+ `%ROUTE_RULE_NAME%`: name of the Gateway API xRoute section
+ `%ROUTE_RULE_NUMBER%`: name of the Gateway API xRoute section
+ `%BACKEND_REFS%`: names of all backends referenced in `/|/|...` format
+ Only xDS Clusters created for HTTPRoute and GRPCRoute are currently supported.
+ Default: `%ROUTE_KIND%/%ROUTE_NAMESPACE%/%ROUTE_NAME%/rule/%ROUTE_RULE_NUMBER%`
+ Example: `httproute/my-ns/my-route/rule/0`
+ type: string
+ enablePerEndpointStats:
+ description: |-
+ EnablePerEndpointStats enables per endpoint envoy stats metrics.
+ Please use with caution.
+ type: boolean
+ enableRequestResponseSizesStats:
+ description: EnableRequestResponseSizesStats enables publishing
+ of histograms tracking header and body sizes of requests
+ and responses.
+ type: boolean
+ enableVirtualHostStats:
+ description: EnableVirtualHostStats enables envoy stat metrics
+ for virtual hosts.
+ type: boolean
+ matches:
+ description: |-
+ Matches defines configuration for selecting specific metrics instead of generating all metrics stats
+ that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
+ may after critical functionality. Here are the stats that we strongly recommend not disabling:
+ `cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
+ `cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
+ https://github.com/envoyproxy/envoy/issues/14610
+ items:
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
+ properties:
+ type:
+ default: Exact
+ description: Type specifies how to match against a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that the
+ match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: array
+ prometheus:
+ description: Prometheus defines the configuration for Admin
+ endpoint `/stats/prometheus`.
+ properties:
+ compression:
+ description: Configure the compression on Prometheus endpoint.
+ Compression is useful in situations when bandwidth is
+ scarce and large payloads can be effectively compressed
+ at the expense of higher CPU load.
+ properties:
+ brotli:
+ description: The configuration for Brotli compressor.
+ type: object
+ gzip:
+ description: The configuration for GZIP compressor.
+ type: object
+ minContentLength:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ MinContentLength defines the minimum response size in bytes to apply compression.
+ Responses smaller than this threshold will not be compressed.
+ Must be at least 30 bytes as enforced by Envoy Proxy.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ Default: 30 bytes
+ x-kubernetes-int-or-string: true
+ type:
+ description: CompressorType defines the compressor
+ type to use for compression.
+ enum:
+ - Gzip
+ - Brotli
+ - Zstd
+ type: string
+ zstd:
+ description: The configuration for Zstd compressor.
+ type: object
+ required:
+ - type
+ type: object
+ disable:
+ description: Disable the Prometheus endpoint.
+ type: boolean
+ type: object
+ sinks:
+ description: Sinks defines the metric sinks where metrics
+ are sent to.
+ items:
+ description: |-
+ ProxyMetricSink defines the sink of metrics.
+ Default metrics sink is OpenTelemetry.
+ properties:
+ openTelemetry:
+ description: |-
+ OpenTelemetry defines the configuration for OpenTelemetry sink.
+ It's required if the sink type is OpenTelemetry.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind ==
+ ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind ==
+ ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections
+ that Envoy will establish to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel
+ requests that Envoy will make to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel
+ retries that Envoy will make to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending
+ requests that Envoy will queue to the
+ referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit
+ Breakers that will apply per-endpoint
+ for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures
+ the maximum number of connections
+ that Envoy will establish per-endpoint
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection
+ settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform
+ active health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines
+ the number of healthy health checks
+ required before a backend host is
+ marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines
+ a list of HTTP expected responses
+ to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in
+ plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the
+ type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ?
+ has(self.text) : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP
+ path that will be requested during
+ health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time
+ between active health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the
+ expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in
+ plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the
+ type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ?
+ has(self.text) : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines the request
+ payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in
+ plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the
+ type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ?
+ has(self.text) : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time
+ to wait for a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of
+ health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines
+ the number of unhealthy health checks
+ required before a backend host is
+ marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP,
+ http field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type is TCP,
+ tcp field needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only be set
+ if the Health Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC''
+ : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines
+ the base duration for which a host
+ will be ejected on consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets
+ the number of consecutive 5xx errors
+ triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive gateway
+ errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time
+ between passive health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets
+ the maximum percentage of hosts in
+ a cluster that can be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors between
+ external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie
+ hash policy when the consistent hash
+ type is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the
+ header hash policy for each header,
+ when the consistent hash type is set
+ to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures
+ the query parameter hash policy when
+ the consistent hash type is set to
+ QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query
+ param to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent
+ hashing, must be prime number limited
+ to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header,
+ the header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers,
+ the headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie,
+ the cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams,
+ the queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ?
+ has(self.queryParams) : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the
+ sources to extract endpoint override
+ information from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract endpoint
+ override information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration
+ related to the distribution of requests
+ between locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer sending
+ traffic to the local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold
+ is the minimum number of total
+ upstream endpoints across all
+ zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage
+ of requests that will be considered
+ for zone aware routing if zone
+ aware routing is configured. If
+ not specified, Envoy defaults
+ to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported
+ for RoundRobin and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported
+ for LeastRequest, Random, and RoundRobin
+ load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy
+ Protocol when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of
+ retries to be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy
+ to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the
+ base interval between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the
+ http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the
+ retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend
+ connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time
+ until which entire response is received
+ from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy
+ only works with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ headers:
+ description: |-
+ Headers is a list of additional headers to send with OTLP export requests.
+ These headers are added as gRPC initial metadata for the OTLP gRPC service.
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 32
+ minItems: 1
+ type: array
+ host:
+ description: |-
+ Host define the service hostname.
+ Deprecated: Use BackendRefs instead.
+ type: string
+ port:
+ default: 4317
+ description: |-
+ Port defines the port the service is exposed on.
+ Deprecated: Use BackendRefs instead.
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ reportCountersAsDeltas:
+ description: |-
+ ReportCountersAsDeltas configures the OpenTelemetry sink to report
+ counters as delta temporality instead of cumulative.
+ type: boolean
+ reportHistogramsAsDeltas:
+ description: |-
+ ReportHistogramsAsDeltas configures the OpenTelemetry sink to report
+ histograms as delta temporality instead of cumulative.
+ Required for backends like Elastic that drop cumulative histograms.
+ type: boolean
+ resourceAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ ResourceAttributes is a set of labels that describe the source of metrics.
+ It's recommended to follow semantic conventions: https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: host or backendRefs needs to be set
+ rule: has(self.host) || self.backendRefs.size() >
+ 0
+ - message: BackendRefs must be used, backendRef is not
+ supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only support Service and Backend
+ kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
+ f.kind == ''Service'' || f.kind == ''Backend'')
+ : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
+ type:
+ default: OpenTelemetry
+ description: |-
+ Type defines the metric sink type.
+ EG currently only supports OpenTelemetry.
+ enum:
+ - OpenTelemetry
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If MetricSink type is OpenTelemetry, openTelemetry
+ field needs to be set.
+ rule: 'self.type == ''OpenTelemetry'' ? has(self.openTelemetry)
+ : !has(self.openTelemetry)'
+ maxItems: 16
+ type: array
+ type: object
+ requestID:
+ description: RequestID configures Envoy request ID behavior.
+ properties:
+ tracing:
+ description: |-
+ Tracing configures Envoy's behavior for the UUID request ID extension,
+ including whether the trace sampling decision is packed into the UUID and
+ whether `X-Request-ID` is used for trace sampling decisions.
+
+ When omitted, the default behavior is `PackAndSample`, which alters the UUID
+ to contain the trace sampling decision and uses `X-Request-ID` for stable
+ trace sampling.
+ enum:
+ - PackAndSample
+ - Sample
+ - Pack
+ - Disable
+ type: string
+ type: object
+ tracing:
+ description: |-
+ Tracing defines tracing configuration for managed proxies.
+ If unspecified, will not send tracing data.
+ properties:
+ customTags:
+ additionalProperties:
+ properties:
+ environment:
+ description: |-
+ Environment adds value from environment variable to each span.
+ It's required when the type is "Environment".
+ properties:
+ defaultValue:
+ description: DefaultValue defines the default value
+ to use if the environment variable is not set.
+ type: string
+ name:
+ description: Name defines the name of the environment
+ variable which to extract the value from.
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: |-
+ Literal adds hard-coded value to each span.
+ It's required when the type is "Literal".
+ properties:
+ value:
+ description: Value defines the hard-coded value
+ to add to each span.
+ type: string
+ required:
+ - value
+ type: object
+ requestHeader:
+ description: |-
+ RequestHeader adds value from request header to each span.
+ It's required when the type is "RequestHeader".
+ properties:
+ defaultValue:
+ description: DefaultValue defines the default value
+ to use if the request header is not set.
+ type: string
+ name:
+ description: Name defines the name of the request
+ header which to extract the value from.
+ type: string
+ required:
+ - name
+ type: object
+ type:
+ default: Literal
+ description: Type defines the type of custom tag.
+ enum:
+ - Literal
+ - Environment
+ - RequestHeader
+ type: string
+ required:
+ - type
+ type: object
+ description: |-
+ CustomTags defines the custom tags to add to each span.
+ If provider is kubernetes, pod name and namespace are added by default.
+
+ Deprecated: Use Tags instead.
+ type: object
+ provider:
+ description: Provider defines the tracing provider.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections
+ that Envoy will establish to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream
+ cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the
+ maximum number of connections that Envoy
+ will establish per-endpoint to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection
+ settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform
+ active health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the
+ number of healthy health checks required
+ before a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines
+ a list of HTTP expected responses to
+ match.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text
+ field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the
+ http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path
+ that will be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text
+ field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request
+ payload.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text
+ field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health
+ checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the
+ number of unhealthy health checks required
+ before a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http
+ field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type is TCP, tcp
+ field needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only be set if the
+ Health Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC''
+ : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the
+ base duration for which a host will be ejected
+ on consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the
+ number of consecutive 5xx errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets
+ the number of consecutive gateway errors
+ triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors between external
+ and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for
+ backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie
+ hash policy when the consistent hash type
+ is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to
+ set for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header
+ hash policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the query
+ parameter hash policy when the consistent
+ hash type is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent
+ hashing, must be prime number limited to
+ 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header,
+ the header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers,
+ the headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie,
+ the cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams,
+ the queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources
+ to extract endpoint override information
+ from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract endpoint override
+ information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration
+ related to the distribution of requests between
+ locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the
+ local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is
+ the minimum number of total upstream
+ endpoints across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of
+ requests that will be considered for
+ zone aware routing if zone aware routing
+ is configured. If not specified, Envoy
+ defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for
+ RoundRobin and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for
+ LeastRequest, Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries
+ to be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be
+ applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base
+ interval between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry
+ trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only
+ works with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ host:
+ description: |-
+ Host define the provider service hostname.
+ Deprecated: Use BackendRefs instead.
+ type: string
+ openTelemetry:
+ description: OpenTelemetry defines the OpenTelemetry tracing
+ provider configuration
+ properties:
+ headers:
+ description: |-
+ Headers is a list of additional headers to send with OTLP export requests.
+ These headers are added as gRPC initial metadata for the OTLP gRPC service.
+ items:
+ description: HTTPHeader represents an HTTP Header
+ name and value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header
+ to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 32
+ minItems: 1
+ type: array
+ resourceAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ ResourceAttributes is a set of labels that describe the source of traces.
+ It's recommended to follow semantic conventions: https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/
+ type: object
+ type: object
+ port:
+ default: 4317
+ description: |-
+ Port defines the port the provider service is exposed on.
+ Deprecated: Use BackendRefs instead.
+ format: int32
+ minimum: 0
+ type: integer
+ serviceName:
+ description: |-
+ ServiceName defines the service name to use in tracing configuration.
+ If not set, Envoy Gateway will use a default service name set as
+ "name.namespace" (e.g., "my-gateway.default").
+ Note: This field is only supported for OpenTelemetry and Datadog tracing providers.
+ For Zipkin, the service name in traces is always derived from the Envoy --service-cluster flag
+ (typically "namespace/name" format). Setting this field has no effect for Zipkin.
+ type: string
+ x-kubernetes-validations:
+ - message: serviceName cannot be empty if provided
+ rule: self != ""
+ type:
+ default: OpenTelemetry
+ description: Type defines the tracing provider type.
+ enum:
+ - OpenTelemetry
+ - Zipkin
+ - Datadog
+ type: string
+ zipkin:
+ description: Zipkin defines the Zipkin tracing provider
+ configuration
+ properties:
+ disableSharedSpanContext:
+ description: |-
+ DisableSharedSpanContext determines whether the default Envoy behaviour of
+ client and server spans sharing the same span context should be disabled.
+ type: boolean
+ enable128BitTraceId:
+ description: |-
+ Enable128BitTraceID determines whether a 128bit trace id will be used
+ when creating a new trace instance. If set to false, a 64bit trace
+ id will be used.
+ type: boolean
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: host or backendRefs needs to be set
+ rule: has(self.host) || self.backendRefs.size() > 0
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only support Service and Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''Backend'') : true'
+ - message: BackendRefs only support Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "" || f.group == ''gateway.envoyproxy.io''))
+ : true'
+ - message: openTelemetry can only be used with type OpenTelemetry
+ rule: 'has(self.openTelemetry) ? self.type == ''OpenTelemetry''
+ : true'
+ samplingFraction:
+ description: |-
+ SamplingFraction represents the fraction of requests that should be
+ selected for tracing if no prior sampling decision has been made.
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to denominator
+ rule: self.numerator <= self.denominator
+ samplingRate:
+ description: |-
+ SamplingRate controls the rate at which traffic will be
+ selected for tracing if no prior sampling decision has been made.
+ Defaults to 100, valid values [0-100]. 100 indicates 100% sampling.
+
+ Only one of SamplingRate or SamplingFraction may be specified.
+ If neither field is specified, all requests will be sampled.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ spanName:
+ description: |-
+ SpanName defines the name of the span which will be used for tracing.
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the value.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
+
+ If not set, the span name is provider specific.
+ e.g. Datadog use `ingress` as the default client span name,
+ and `router egress` as the server span name.
+ properties:
+ client:
+ description: Client defines operation name of the span
+ which will be used for tracing.
+ type: string
+ server:
+ description: Server defines the operation name of the
+ upstream span which will be used for tracing.
+ type: string
+ required:
+ - client
+ - server
+ type: object
+ tags:
+ additionalProperties:
+ type: string
+ description: |-
+ Tags defines the custom tags to add to each span.
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the value.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
+ If provider is kubernetes, pod name and namespace are added by default.
+
+ Same keys take precedence over CustomTags.
+ type: object
+ required:
+ - provider
+ type: object
+ x-kubernetes-validations:
+ - message: only one of SamplingRate or SamplingFraction can be
+ specified
+ rule: '!(has(self.samplingRate) && has(self.samplingFraction))'
+ type: object
+ type: object
+ status:
+ description: EnvoyProxyStatus defines the actual state of EnvoyProxy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors represent the status information for all the GatewayClass or Gateway
+ reference this EnvoyProxy with ParametersReference.
+ items:
+ properties:
+ ancestorRef:
+ description: AncestorRef corresponds a GatewayClass or Gateway
+ use this EnvoyProxy with ParametersReference.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ required:
+ - ancestorRef
+ type: object
+ type: array
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml
new file mode 100644
index 00000000..22c7ff10
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml
@@ -0,0 +1,474 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: httproutefilters.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: HTTPRouteFilter
+ listKind: HTTPRouteFilterList
+ plural: httproutefilters
+ shortNames:
+ - hrf
+ singular: httproutefilter
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended
+ traffic processing options such as path regex rewrite, direct response and more.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRouteFilter.
+ properties:
+ credentialInjection:
+ description: |-
+ HTTPCredentialInjectionFilter defines the configuration to inject credentials into the request.
+ This is useful when the backend service requires credentials in the request, and the original
+ request does not contain them. The filter can inject credentials into the request before forwarding
+ it to the backend service.
+ properties:
+ credential:
+ description: Credential is the credential to be injected.
+ properties:
+ valueRef:
+ description: |-
+ ValueRef is a reference to the secret containing the credentials to be injected.
+ This is an Opaque secret. The credential should be stored in the key
+ "credential", and the value should be the credential to be injected.
+ For example, for basic authentication, the value should be "Basic ".
+ for bearer token, the value should be "Bearer ".
+ Note: The secret must be in the same namespace as the HTTPRouteFilter.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - valueRef
+ type: object
+ header:
+ description: |-
+ Header is the name of the header where the credentials are injected.
+ If not specified, the credentials are injected into the Authorization header.
+ type: string
+ overwrite:
+ description: |-
+ Whether to overwrite the value or not if the injected headers already exist.
+ If not specified, the default value is false.
+ type: boolean
+ required:
+ - credential
+ type: object
+ directResponse:
+ description: HTTPDirectResponseFilter defines the configuration to
+ return a fixed response.
+ properties:
+ body:
+ description: Body of the direct response.
+ properties:
+ inline:
+ description: Inline contains the value as an inline string.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Inline
+ - ValueRef
+ - enum:
+ - Inline
+ - ValueRef
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the body value.
+ Valid values are Inline and ValueRef, default is Inline.
+ type: string
+ valueRef:
+ description: |-
+ ValueRef contains the contents of the body
+ specified as a local object reference.
+ Only a reference to ConfigMap is supported.
+
+ The value of key `response.body` in the ConfigMap will be used as the response body.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: inline must be set for type Inline
+ rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
+ : true'
+ - message: valueRef must be set for type ValueRef
+ rule: '(has(self.type) && self.type == ''ValueRef'')? has(self.valueRef)
+ : true'
+ - message: only ConfigMap is supported for ValueRef
+ rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
+ : true'
+ contentType:
+ description: Content Type of the direct response. This will be
+ set in the Content-Type header.
+ type: string
+ header:
+ description: Header defines the headers of the direct response.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ x-kubernetes-validations:
+ - message: header.remove is not supported for DirectResponse
+ rule: '!has(self.remove) || size(self.remove) == 0'
+ statusCode:
+ description: |-
+ Status Code of the HTTP response
+ If unset, defaults to 200.
+ type: integer
+ type: object
+ matches:
+ description: |-
+ Matches defines additional matching criteria for the HTTPRoute rule.
+ As with HTTPRouteRule.Matches, the rule is matched if any one match applies.
+ When both HTTPRouteRule.Matches and HTTPRouteFilter.Matches are set, the
+ effective matching is the logical AND of the two sets.
+ items:
+ description: |-
+ HTTPRouteMatchFilter defines additional matching criteria for the HTTPRoute rule.
+ At least one matcher must be specified.
+ minProperties: 1
+ properties:
+ cookies:
+ description: |-
+ Cookies is a list of cookie matchers evaluated against the HTTP request.
+ All specified matchers must match.
+ items:
+ description: HTTPCookieMatch defines how to match a single
+ cookie.
+ properties:
+ name:
+ description: Name is the cookie name to evaluate.
+ maxLength: 256
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against the value
+ of the cookie.
+ enum:
+ - Exact
+ - RegularExpression
+ type: string
+ value:
+ description: Value is the cookie value to be matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ type: object
+ maxItems: 8
+ type: array
+ urlRewrite:
+ description: HTTPURLRewriteFilter define rewrites of HTTP URL components
+ such as path and host
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+ properties:
+ header:
+ description: Header is the name of the header whose value
+ would be used to rewrite the Host header
+ type: string
+ type:
+ description: HTTPPathModifierType defines the type of Hostname
+ rewrite.
+ enum:
+ - Header
+ - Backend
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: header must be nil if the type is not Header
+ rule: '!(has(self.header) && self.type != ''Header'')'
+ - message: header must be specified for Header type
+ rule: '!(!has(self.header) && self.type == ''Header'')'
+ path:
+ description: Path defines a path rewrite.
+ properties:
+ replaceRegexMatch:
+ description: |-
+ ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
+ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
+ Some examples:
+ (1) replaceRegexMatch:
+ pattern: ^/service/([^/]+)(/.*)$
+ substitution: \2/instance/\1
+ Would transform /service/foo/v1/api into /v1/api/instance/foo.
+ (2) replaceRegexMatch:
+ pattern: one
+ substitution: two
+ Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
+ (3) replaceRegexMatch:
+ pattern: ^(.*?)one(.*)$
+ substitution: \1two\2
+ Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
+ (3) replaceRegexMatch:
+ pattern: (?i)/xxx/
+ substitution: /yyy/
+ Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive).
+ properties:
+ pattern:
+ description: |-
+ Pattern matches a regular expression against the value of the HTTP Path.The regex string must
+ adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax.
+ minLength: 1
+ type: string
+ substitution:
+ description: |-
+ Substitution is an expression that replaces the matched portion.The expression may include numbered
+ capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax.
+ type: string
+ required:
+ - pattern
+ - substitution
+ type: object
+ type:
+ description: HTTPPathModifierType defines the type of path
+ redirect or rewrite.
+ enum:
+ - ReplaceRegexMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch
+ field needs to be set.
+ rule: 'self.type == ''ReplaceRegexMatch'' ? has(self.replaceRegexMatch)
+ : !has(self.replaceRegexMatch)'
+ type: object
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
new file mode 100644
index 00000000..684d40a8
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -0,0 +1,6272 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.18.0
+ name: securitypolicies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: SecurityPolicy
+ listKind: SecurityPolicyList
+ plural: securitypolicies
+ shortNames:
+ - sp
+ singular: securitypolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ SecurityPolicy allows the user to configure various security settings for a
+ Gateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of SecurityPolicy.
+ properties:
+ apiKeyAuth:
+ description: APIKeyAuth defines the configuration for the API Key
+ Authentication.
+ properties:
+ credentialRefs:
+ description: |-
+ CredentialRefs is the Kubernetes secret which contains the API keys.
+ This is an Opaque secret.
+ Each API key is stored in the key representing the client id.
+ If the secrets have a key for a duplicated client, the first one will be used.
+ items:
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ extractFrom:
+ description: |-
+ ExtractFrom is where to fetch the key from the coming request.
+ The value from the first source that has a key will be used.
+ items:
+ description: |-
+ ExtractFrom is where to fetch the key from the coming request.
+ Only one of header, param or cookie is supposed to be specified.
+ properties:
+ cookies:
+ description: |-
+ Cookies is the names of the cookie to fetch the key from.
+ If multiple cookies are specified, envoy will look for the api key in the order of the list.
+ This field is optional, but only one of headers, params or cookies is supposed to be specified.
+ items:
+ type: string
+ type: array
+ headers:
+ description: |-
+ Headers is the names of the header to fetch the key from.
+ If multiple headers are specified, envoy will look for the api key in the order of the list.
+ This field is optional, but only one of headers, params or cookies is supposed to be specified.
+ items:
+ type: string
+ type: array
+ params:
+ description: |-
+ Params is the names of the query parameter to fetch the key from.
+ If multiple params are specified, envoy will look for the api key in the order of the list.
+ This field is optional, but only one of headers, params or cookies is supposed to be specified.
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ forwardClientIDHeader:
+ description: |-
+ ForwardClientIDHeader is the name of the header to forward the client identity to the backend
+ service. The header will be added to the request with the client id as the value.
+ type: string
+ sanitize:
+ description: Sanitize indicates whether to remove the API key
+ from the request before forwarding it to the backend service.
+ type: boolean
+ required:
+ - credentialRefs
+ - extractFrom
+ type: object
+ authorization:
+ description: Authorization defines the authorization configuration.
+ properties:
+ defaultAction:
+ description: |-
+ DefaultAction defines the default action to be taken if no rules match.
+ If not specified, the default action is Deny.
+ enum:
+ - Allow
+ - Deny
+ type: string
+ rules:
+ description: |-
+ Rules defines a list of authorization rules.
+ These rules are evaluated in order, the first matching rule will be applied,
+ and the rest will be skipped.
+
+ For example, if there are two rules: the first rule allows the request
+ and the second rule denies it, when a request matches both rules, it will be allowed.
+ items:
+ description: AuthorizationRule defines a single authorization
+ rule.
+ properties:
+ action:
+ description: Action defines the action to be taken if the
+ rule matches.
+ enum:
+ - Allow
+ - Deny
+ type: string
+ name:
+ description: |-
+ Name is a user-friendly name for the rule.
+ If not specified, Envoy Gateway will generate a unique name for the rule.
+ maxLength: 253
+ minLength: 1
+ type: string
+ operation:
+ description: |-
+ Operation specifies the operation of a request, such as HTTP methods.
+ If not specified, all operations are matched on.
+ properties:
+ methods:
+ description: |-
+ Methods are the HTTP methods of the request.
+ If multiple methods are specified, all specified methods are allowed or denied, based on the action of the rule.
+ items:
+ description: |-
+ HTTPMethod describes how to select a HTTP route by matching the HTTP
+ method as defined by
+ [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) and
+ [RFC 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2).
+ The value is expected in upper case.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+ enum:
+ - GET
+ - HEAD
+ - POST
+ - PUT
+ - DELETE
+ - CONNECT
+ - OPTIONS
+ - TRACE
+ - PATCH
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - methods
+ type: object
+ principal:
+ description: |-
+ Principal specifies the client identity of a request.
+ If there are multiple principal types, all principals must match for the rule to match.
+ For example, if there are two principals: one for client IP and one for JWT claim,
+ the rule will match only if both the client IP and the JWT claim match.
+ properties:
+ clientCIDRs:
+ description: |-
+ ClientCIDRs are the IP CIDR ranges of the client.
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+
+ If multiple CIDR ranges are specified, one of the CIDR ranges must match
+ the client IP for the rule to match.
+
+ The client IP is inferred from the X-Forwarded-For header, a custom header,
+ or the proxy protocol.
+ You can use the `ClientIPDetection` or the `ProxyProtocol` field in
+ the `ClientTrafficPolicy` to configure how the client IP is detected.
+
+ For TCPRoute targets (raw TCP connections), HTTP headers such as
+ X-Forwarded-For are not available. The client IP is obtained from the
+ TCP connection's peer address. If intermediaries (load balancers, NAT)
+ terminate or proxy TCP, the original client IP will only be available
+ if the intermediary preserves the source address (for example by
+ enabling the PROXY protocol or avoiding SNAT). Ensure your L4 proxy is
+ configured to preserve the source IP to enable correct client-IP
+ matching for TCPRoute targets.
+ items:
+ description: |-
+ CIDR defines a CIDR Address range.
+ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+ pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
+ type: string
+ minItems: 1
+ type: array
+ headers:
+ description: |-
+ Headers authorize the request based on user identity extracted from custom headers.
+ If multiple headers are specified, all headers must match for the rule to match.
+ items:
+ description: AuthorizationHeaderMatch specifies how
+ to match against the value of an HTTP header within
+ a authorization rule.
+ properties:
+ name:
+ description: |-
+ Name of the HTTP header.
+ The header name is case-insensitive unless PreserveHeaderCase is set to true.
+ For example, "Foo" and "foo" are considered the same header.
+ maxLength: 256
+ minLength: 1
+ type: string
+ values:
+ description: |-
+ Values are the values that the header must match.
+ If multiple values are specified, the rule will match if any of the values match.
+ items:
+ type: string
+ maxItems: 256
+ minItems: 1
+ type: array
+ required:
+ - name
+ - values
+ type: object
+ maxItems: 256
+ minItems: 1
+ type: array
+ jwt:
+ description: |-
+ JWT authorize the request based on the JWT claims and scopes.
+ Note: in order to use JWT claims for authorization, you must configure the
+ JWT authentication in the same `SecurityPolicy`.
+ properties:
+ claims:
+ description: |-
+ Claims are the claims in a JWT token.
+
+ If multiple claims are specified, all claims must match for the rule to match.
+ For example, if there are two claims: one for the audience and one for the issuer,
+ the rule will match only if both the audience and the issuer match.
+ items:
+ description: JWTClaim specifies a claim in a JWT
+ token.
+ properties:
+ name:
+ description: |-
+ Name is the name of the claim.
+ If it is a nested claim, use a dot (.) separated string as the name to
+ represent the full path to the claim.
+ For example, if the claim is in the "department" field in the "organization" field,
+ the name should be "organization.department".
+ maxLength: 253
+ minLength: 1
+ type: string
+ valueType:
+ default: String
+ description: |-
+ ValueType is the type of the claim value.
+ Only String and StringArray types are supported for now.
+ enum:
+ - String
+ - StringArray
+ type: string
+ values:
+ description: |-
+ Values are the values that the claim must match.
+ If the claim is a string type, the specified value must match exactly.
+ If the claim is a string array type, the specified value must match one of the values in the array.
+ If multiple values are specified, one of the values must match for the rule to match.
+ items:
+ type: string
+ maxItems: 128
+ minItems: 1
+ type: array
+ required:
+ - name
+ - values
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ provider:
+ description: |-
+ Provider is the name of the JWT provider that used to verify the JWT token.
+ In order to use JWT claims for authorization, you must configure the JWT
+ authentication with the same provider in the same `SecurityPolicy`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ scopes:
+ description: |-
+ Scopes are a special type of claim in a JWT token that represents the permissions of the client.
+
+ The value of the scopes field should be a space delimited string that is expected in the
+ scope (or scp) claim, as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
+
+ If multiple scopes are specified, all scopes must match for the rule to match.
+ items:
+ maxLength: 253
+ minLength: 1
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - provider
+ type: object
+ x-kubernetes-validations:
+ - message: at least one of claims or scopes must be
+ specified
+ rule: (has(self.claims) || has(self.scopes))
+ sourceCIDRs:
+ description: |-
+ SourceCIDRs are the IP CIDR ranges of the source (L4 peer IP).
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+
+ If multiple CIDR ranges are specified, one of the CIDR ranges must match
+ the source IP for the rule to match.
+
+ The source IP is the IP address of the peer that connected to Envoy.
+ This IP is obtained from the TCP connection's peer address and is not
+ affected by X-Forwarded-For or other IP detection headers.
+ If intermediaries (load balancers, NAT) terminate or proxy TCP,
+ the original client IP will only be available if the intermediary
+ preserves the source address (for example by enabling the PROXY protocol
+ or avoiding SNAT).
+ items:
+ description: |-
+ CIDR defines a CIDR Address range.
+ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+ pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
+ type: string
+ minItems: 1
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: at least one of clientCIDRs, jwt, or headers
+ must be specified
+ rule: (has(self.clientCIDRs) || has(self.jwt) || has(self.headers))
+ required:
+ - action
+ - principal
+ type: object
+ type: array
+ type: object
+ basicAuth:
+ description: BasicAuth defines the configuration for the HTTP Basic
+ Authentication.
+ properties:
+ forwardUsernameHeader:
+ description: |-
+ This field specifies the header name to forward a successfully authenticated user to
+ the backend. The header will be added to the request with the username as the value.
+
+ If it is not specified, the username will not be forwarded.
+ type: string
+ users:
+ description: |-
+ The Kubernetes secret which contains the username-password pairs in
+ htpasswd format, used to verify user credentials in the "Authorization"
+ header.
+
+ This is an Opaque secret. The username-password pairs should be stored in
+ the key ".htpasswd". As the key name indicates, the value needs to be the
+ htpasswd format, for example: "user1:{SHA}hashed_user1_password".
+ Right now, only SHA hash algorithm is supported.
+ Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
+ for more details.
+
+ Note: The secret must be in the same namespace as the SecurityPolicy.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - users
+ type: object
+ cors:
+ description: CORS defines the configuration for Cross-Origin Resource
+ Sharing (CORS).
+ properties:
+ allowCredentials:
+ description: |-
+ AllowCredentials indicates whether a request can include user credentials
+ like cookies, authentication headers, or TLS client certificates.
+ It specifies the value in the Access-Control-Allow-Credentials CORS response header.
+ type: boolean
+ allowHeaders:
+ description: |-
+ AllowHeaders defines the headers that are allowed to be sent with requests.
+ It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
+ The value "*" allows any header to be sent.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: |-
+ AllowMethods defines the methods that are allowed to make requests.
+ It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
+ The value "*" allows any method to be used.
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: |-
+ AllowOrigins defines the origins that are allowed to make requests.
+ It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
+ The value "*" allows any origin to make requests.
+ items:
+ description: |-
+ Origin is defined by the scheme (protocol), hostname (domain), and port of
+ the URL used to access it. The hostname can be "precise" which is just the
+ domain name or "wildcard" which is a domain name prefixed with a single
+ wildcard label such as "*.example.com".
+ In addition to that a single wildcard (with or without scheme) can be
+ configured to match any origin.
+
+ For example, the following are valid origins:
+ - https://foo.example.com
+ - https://*.example.com
+ - http://foo.example.com:8080
+ - http://*.example.com:8080
+ - https://*
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$
+ type: string
+ type: array
+ exposeHeaders:
+ description: |-
+ ExposeHeaders defines which response headers should be made accessible to
+ scripts running in the browser.
+ It specifies the headers in the Access-Control-Expose-Headers CORS response header..
+ The value "*" allows any header to be exposed.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: |-
+ MaxAge defines how long the results of a preflight request can be cached.
+ It specifies the value in the Access-Control-Max-Age CORS response header..
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ extAuth:
+ description: ExtAuth defines the configuration for External Authorization.
+ properties:
+ bodyToExtAuth:
+ description: BodyToExtAuth defines the Body to Ext Auth configuration.
+ properties:
+ maxRequestBytes:
+ description: |-
+ MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
+ Envoy will return HTTP 413 and will not initiate the authorization process when buffer
+ reaches the number set in this field.
+ Note that this setting will have precedence over failOpen mode.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - maxRequestBytes
+ type: object
+ contextExtensions:
+ description: |-
+ ContextExtensions are analogous to http_request.headers, however these
+ contents will not be sent to the upstream server. This provides an
+ extension mechanism for sending additional information to the auth server
+ without modifying the proto definition. It maps to the internal opaque
+ context in the filter chain.
+ items:
+ description: |-
+ ContextExtension is analogous to http_request.headers, however these
+ contents will not be sent to the upstream server. This provides an
+ extension mechanism for sending additional information to the auth server
+ without modifying the proto definition. It maps to the internal opaque
+ context in the filter chain.
+ properties:
+ name:
+ description: Name of the context extension.
+ type: string
+ type:
+ default: Value
+ description: |-
+ Type is the type of method to use to read the ContextExtension value.
+ Valid values are Value and ValueRef, default is Value.
+ enum:
+ - Value
+ - ValueRef
+ type: string
+ value:
+ description: Value of the context extension.
+ type: string
+ valueRef:
+ description: ValueRef for the context extension's value.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ key:
+ description: The key to select.
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - key
+ - kind
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Only a reference to an object of kind ConfigMap
+ or Secret belonging to default v1 API group is supported.
+ rule: self.kind in ['ConfigMap', 'Secret'] && self.group
+ in ['', 'v1']
+ required:
+ - name
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: Exactly one of value or valueRef must be set with
+ correct type.
+ rule: (self.type == 'Value' && has(self.value) && !has(self.valueRef))
+ || (self.type == 'ValueRef' && !has(self.value) && has(self.valueRef))
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ failOpen:
+ default: false
+ description: |-
+ FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
+ If FailOpen is set to true, the system allows the traffic to pass through.
+ Otherwise, if it is set to false or not set (defaulting to false),
+ the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
+ This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
+
+ If set to true, the External Authorization will also be bypassed if its configuration is invalid.
+ type: boolean
+ grpc:
+ description: |-
+ GRPC defines the gRPC External Authorization service.
+ Either GRPCService or HTTPService must be specified,
+ and only one of them can be provided.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a
+ backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) :
+ !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' :
+ true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base
+ duration for which a host will be ejected on
+ consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets the
+ number of consecutive gateway errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be
+ ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash
+ policy when the consistent hash type is set
+ to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set
+ for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the query
+ parameter hash policy when the consistent hash
+ type is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param to
+ hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the
+ header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers, the
+ headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie, the
+ cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams,
+ the queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality
+ zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the
+ minimum number of total upstream endpoints
+ across all zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If
+ not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ type: object
+ x-kubernetes-validations:
+ - message: backendRef or backendRefs needs to be set
+ rule: has(self.backendRef) || self.backendRefs.size() > 0
+ - message: BackendRefs only supports Service, ServiceImport, and
+ Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''ServiceImport'' || f.kind ==
+ ''Backend'') : true'
+ - message: BackendRefs only supports Core, multicluster.x-k8s.io,
+ and gateway.envoyproxy.io groups.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
+ == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
+ ''gateway.envoyproxy.io'')) : true'
+ headersToExtAuth:
+ description: |-
+ HeadersToExtAuth defines the client request headers that will be included
+ in the request to the external authorization service.
+ Note: If not specified, the default behavior for gRPC and HTTP external
+ authorization services is different due to backward compatibility reasons.
+ All headers will be included in the check request to a gRPC authorization server.
+ Only the following headers will be included in the check request to an HTTP
+ authorization server: Host, Method, Path, Content-Length, and Authorization.
+ And these headers will always be included to the check request to an HTTP
+ authorization server by default, no matter whether they are specified
+ in HeadersToExtAuth or not.
+ items:
+ type: string
+ type: array
+ http:
+ description: |-
+ HTTP defines the HTTP External Authorization service.
+ Either GRPCService or HTTPService must be specified,
+ and only one of them can be provided.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a
+ backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) :
+ !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' :
+ true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base
+ duration for which a host will be ejected on
+ consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets the
+ number of consecutive gateway errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be
+ ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash
+ policy when the consistent hash type is set
+ to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set
+ for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the query
+ parameter hash policy when the consistent hash
+ type is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param to
+ hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the
+ header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers, the
+ headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie, the
+ cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams,
+ the queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality
+ zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the
+ minimum number of total upstream endpoints
+ across all zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If
+ not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ headersToBackend:
+ description: |-
+ HeadersToBackend are the authorization response headers that will be added
+ to the original client request before sending it to the backend server.
+ Note that coexisting headers will be overridden.
+ If not specified, no authorization response headers will be added to the
+ original client request.
+ items:
+ type: string
+ type: array
+ path:
+ description: |-
+ Path is the path of the HTTP External Authorization service.
+ If path is specified, the authorization request will be sent to that path,
+ or else the authorization request will use the path of the original request.
+
+ Please note that the original request path will be appended to the path specified here.
+ For example, if the original request path is "/hello", and the path specified here is "/auth",
+ then the path of the authorization request will be "/auth/hello". If the path is not specified,
+ the path of the authorization request will be "/hello".
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: backendRef or backendRefs needs to be set
+ rule: has(self.backendRef) || self.backendRefs.size() > 0
+ - message: BackendRefs only supports Service, ServiceImport, and
+ Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''ServiceImport'' || f.kind ==
+ ''Backend'') : true'
+ - message: BackendRefs only supports Core, multicluster.x-k8s.io,
+ and gateway.envoyproxy.io groups.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
+ == "" || f.group == ''multicluster.x-k8s.io'' || f.group ==
+ ''gateway.envoyproxy.io'')) : true'
+ recomputeRoute:
+ description: |-
+ RecomputeRoute clears the route cache and recalculates the routing decision.
+ This field must be enabled if the headers added or modified by the ExtAuth are used for
+ route matching decisions. If the recomputation selects a new route, features targeting
+ the new matched route will be applied.
+ type: boolean
+ timeout:
+ description: |-
+ Timeout defines the timeout for requests to the external authorization service.
+ If not specified, defaults to 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: one of grpc or http must be specified
+ rule: (has(self.grpc) || has(self.http))
+ - message: only one of grpc or http can be specified
+ rule: (has(self.grpc) && !has(self.http)) || (!has(self.grpc) &&
+ has(self.http))
+ jwt:
+ description: JWT defines the configuration for JSON Web Token (JWT)
+ authentication.
+ properties:
+ optional:
+ description: |-
+ Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
+ Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
+ type: boolean
+ providers:
+ description: |-
+ Providers defines the JSON Web Token (JWT) authentication provider type.
+ When multiple JWT providers are specified, the JWT is considered valid if
+ any of the providers successfully validate the JWT. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
+ items:
+ description: JWTProvider defines how a JSON Web Token (JWT)
+ can be verified.
+ properties:
+ audiences:
+ description: |-
+ Audiences is a list of JWT audiences allowed access. For additional details, see
+ https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
+ are not checked.
+ items:
+ type: string
+ maxItems: 8
+ type: array
+ claimToHeaders:
+ description: |-
+ ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
+ For examples, following config:
+ The claim must be of type; string, int, double, bool. Array type claims are not supported
+ items:
+ description: ClaimToHeader defines a configuration to
+ convert JWT claims into HTTP headers
+ properties:
+ claim:
+ description: |-
+ Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
+ (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
+ to separate the JSON name path.
+ type: string
+ header:
+ description: Header defines the name of the HTTP request
+ header that the JWT Claim will be saved into.
+ type: string
+ required:
+ - claim
+ - header
+ type: object
+ type: array
+ extractFrom:
+ description: |-
+ ExtractFrom defines different ways to extract the JWT token from HTTP request.
+ If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
+ or access_token from query parameters.
+ properties:
+ cookies:
+ description: Cookies represents a list of cookie names
+ to extract the JWT token from.
+ items:
+ type: string
+ type: array
+ headers:
+ description: Headers represents a list of HTTP request
+ headers to extract the JWT token from.
+ items:
+ description: JWTHeaderExtractor defines an HTTP header
+ location to extract JWT token
+ properties:
+ name:
+ description: Name is the HTTP header name to retrieve
+ the token
+ type: string
+ valuePrefix:
+ description: |-
+ ValuePrefix is the prefix that should be stripped before extracting the token.
+ The format would be used by Envoy like "{ValuePrefix}".
+ For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ params:
+ description: Params represents a list of query parameters
+ to extract the JWT token from.
+ items:
+ type: string
+ type: array
+ type: object
+ issuer:
+ description: |-
+ Issuer is the principal that issued the JWT and takes the form of a URL or email address.
+ For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
+ URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
+ the JWT issuer is not checked.
+ maxLength: 253
+ type: string
+ localJWKS:
+ description: LocalJWKS defines how to get the JSON Web Key
+ Sets (JWKS) from a local source.
+ properties:
+ inline:
+ description: Inline contains the value as an inline
+ string.
+ type: string
+ type:
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the body value.
+ Valid values are Inline and ValueRef, default is Inline.
+ enum:
+ - Inline
+ - ValueRef
+ type: string
+ valueRef:
+ description: |-
+ ValueRef is a reference to a local ConfigMap that contains the JSON Web Key Sets (JWKS).
+
+ The value of key `jwks` in the ConfigMap will be used.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: Exactly one of inline or valueRef must be set
+ with correct type.
+ rule: (self.type == 'Inline' && has(self.inline) && !has(self.valueRef))
+ || (self.type == 'ValueRef' && !has(self.inline) &&
+ has(self.valueRef))
+ name:
+ description: |-
+ Name defines a unique name for the JWT provider. A name can have a variety of forms,
+ including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
+ maxLength: 253
+ minLength: 1
+ type: string
+ recomputeRoute:
+ description: |-
+ RecomputeRoute clears the route cache and recalculates the routing decision.
+ This field must be enabled if the headers generated from the claim are used for
+ route matching decisions. If the recomputation selects a new route, features targeting
+ the new matched route will be applied.
+ type: boolean
+ remoteJWKS:
+ description: |-
+ RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
+ HTTP/HTTPS endpoint.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections
+ that Envoy will establish to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel
+ requests that Envoy will make to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel
+ retries that Envoy will make to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream
+ cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the
+ maximum number of connections that Envoy
+ will establish per-endpoint to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection
+ settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform
+ active health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the
+ number of healthy health checks required
+ before a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines
+ a list of HTTP expected responses
+ to match.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the
+ http status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path
+ that will be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request
+ payload.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to
+ wait for a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health
+ checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines
+ the number of unhealthy health checks
+ required before a backend host is marked
+ unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http
+ field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type is TCP, tcp
+ field needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only be set if
+ the Health Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC''
+ : true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the
+ base duration for which a host will be
+ ejected on consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the
+ number of consecutive 5xx errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets
+ the number of consecutive gateway errors
+ triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the
+ maximum percentage of hosts in a cluster
+ that can be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors between external
+ and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie
+ hash policy when the consistent hash type
+ is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to
+ set for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header
+ hash policy for each header, when the
+ consistent hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to
+ hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the
+ query parameter hash policy when the consistent
+ hash type is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent
+ hashing, must be prime number limited
+ to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header,
+ the header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers,
+ the headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie,
+ the cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams,
+ the queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources
+ to extract endpoint override information
+ from.
+ items:
+ description: EndpointOverrideExtractFrom
+ defines a source to extract endpoint
+ override information from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration
+ related to the distribution of requests between
+ locality zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures
+ zone-aware routing to prefer sending traffic
+ to the local locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is
+ the minimum number of total upstream
+ endpoints across all zones required
+ to enable zone-aware routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of
+ requests that will be considered for
+ zone aware routing if zone aware routing
+ is configured. If not specified, Envoy
+ defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported
+ for RoundRobin and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported
+ for LeastRequest, Random, and RoundRobin load
+ balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries
+ to be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to
+ be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base
+ interval between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per
+ retry attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry
+ trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the
+ conditions that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time
+ until which entire response is received
+ from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only
+ works with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ cacheDuration:
+ default: 300s
+ description: |-
+ Duration is a string value representing a duration in time. The format is as specified
+ in GEP-2257, a strict subset of the syntax parsed by Golang time.ParseDuration.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ uri:
+ description: |-
+ URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.
+ If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - uri
+ type: object
+ x-kubernetes-validations:
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: Retry timeout is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)?
+ !has(self.backendSettings.retry.perRetry.timeout):true):true):true
+ - message: HTTPStatusCodes is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)?
+ !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: claimToHeaders must be specified if recomputeRoute
+ is enabled.
+ rule: '(has(self.recomputeRoute) && self.recomputeRoute) ?
+ size(self.claimToHeaders) > 0 : true'
+ - message: either remoteJWKS or localJWKS must be specified.
+ rule: has(self.remoteJWKS) || has(self.localJWKS)
+ - message: remoteJWKS and localJWKS cannot both be specified.
+ rule: '!(has(self.remoteJWKS) && has(self.localJWKS))'
+ maxItems: 4
+ minItems: 1
+ type: array
+ required:
+ - providers
+ type: object
+ oidc:
+ description: OIDC defines the configuration for the OpenID Connect
+ (OIDC) authentication.
+ properties:
+ clientID:
+ description: |-
+ The client ID to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+ Only one of clientID or clientIDRef must be set.
+ minLength: 1
+ type: string
+ clientIDRef:
+ description: |-
+ The Kubernetes secret which contains the client ID to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ Exactly one of clientID or clientIDRef must be set.
+ This is an Opaque secret. The client ID should be stored in the key "client-id".
+
+ Only one of clientID or clientIDRef must be set.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ clientSecret:
+ description: |-
+ The Kubernetes secret which contains the OIDC client secret to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+ This is an Opaque secret. The client secret should be stored in the key
+ "client-secret".
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ cookieConfig:
+ description: |-
+ CookieConfigs allows setting the SameSite attribute for OIDC cookies.
+ By default, its unset.
+ properties:
+ sameSite:
+ enum:
+ - Lax
+ - Strict
+ - None
+ type: string
+ type: object
+ cookieDomain:
+ description: |-
+ The optional domain to set the access and ID token cookies on.
+ If not set, the cookies will default to the host of the request, not including the subdomains.
+ If set, the cookies will be set on the specified domain and all subdomains.
+ This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+ type: string
+ cookieNames:
+ description: |-
+ The optional cookie name overrides to be used for Bearer and IdToken cookies in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, uses a randomly generated suffix
+ properties:
+ accessToken:
+ description: |-
+ The name of the cookie used to store the AccessToken in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, defaults to "AccessToken-(randomly generated uid)"
+ type: string
+ idToken:
+ description: |-
+ The name of the cookie used to store the IdToken in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, defaults to "IdToken-(randomly generated uid)"
+ type: string
+ type: object
+ csrfTokenTTL:
+ description: |-
+ CSRFTokenTTL defines how long the CSRF token generated during the OAuth2 authorization flow remains valid.
+
+ This duration determines the lifetime of the CSRF cookie, which is validated against the CSRF token
+ in the "state" parameter when the provider redirects back to the callback endpoint.
+
+ If omitted, Envoy Gateway defaults the token expiration to 10 minutes.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ defaultRefreshTokenTTL:
+ description: |-
+ DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+ This field is only used when the exp (expiration time) claim is omitted in
+ the refresh token or the refresh token is not JWT.
+
+ If not specified, defaults to 604800s (one week).
+ Note: this field is only applicable when the "refreshToken" field is set to true.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ defaultTokenTTL:
+ description: |-
+ DefaultTokenTTL is the default lifetime of the id token and access token.
+ Please note that Envoy will always use the expiry time from the response
+ of the authorization server if it is provided. This field is only used when
+ the expiry time is not provided by the authorization.
+
+ If not specified, defaults to 0. In this case, the "expires_in" field in
+ the authorization response must be set by the authorization server, or the
+ OAuth flow will fail.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ denyRedirect:
+ description: |-
+ Any request that matches any of the provided matchers (with either tokens that are expired or missing tokens) will not be redirected to the OIDC Provider.
+ This behavior can be useful for AJAX or machine requests.
+ properties:
+ headers:
+ description: Defines the headers to match against the request
+ to deny redirect to the OIDC Provider.
+ items:
+ description: OIDCDenyRedirectHeader defines how a header
+ is matched
+ properties:
+ name:
+ description: Specifies the name of the header in the
+ request.
+ minLength: 1
+ type: string
+ type:
+ default: Exact
+ description: Type specifies how to match against a string.
+ enum:
+ - Exact
+ - Prefix
+ - Suffix
+ - RegularExpression
+ type: string
+ value:
+ description: Value specifies the string value that the
+ match must have.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - headers
+ type: object
+ disableTokenEncryption:
+ description: |-
+ Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text.
+ This option should only be used in secure environments where token encryption is not required.
+ Default is false (tokens are encrypted).
+ type: boolean
+ forwardAccessToken:
+ description: |-
+ ForwardAccessToken indicates whether the Envoy should forward the access token
+ via the Authorization header Bearer scheme to the upstream.
+ If not specified, defaults to false.
+ type: boolean
+ logoutPath:
+ description: |-
+ The path to log a user out, clearing their credential cookies.
+
+ If not specified, uses a default logout path "/logout"
+ type: string
+ passThroughAuthHeader:
+ description: |-
+ Skips OIDC authentication when the request contains a header that will be extracted by the JWT filter. Unless
+ explicitly stated otherwise in the extractFrom field, this will be the "Authorization: Bearer ..." header.
+
+ The passThroughAuthHeader option is typically used for non-browser clients that may not be able to handle OIDC
+ redirects and wish to directly supply a token instead.
+
+ If not specified, defaults to false.
+ type: boolean
+ provider:
+ description: The OIDC Provider configuration.
+ properties:
+ authorizationEndpoint:
+ description: |-
+ The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ type: string
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ weight:
+ default: 1
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
+ format: int32
+ maximum: 1000000
+ minimum: 0
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ perEndpoint:
+ description: PerEndpoint defines Circuit Breakers
+ that will apply per-endpoint for an upstream cluster
+ properties:
+ maxConnections:
+ default: 1024
+ description: MaxConnections configures the maximum
+ number of connections that Envoy will establish
+ per-endpoint to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ preconnect:
+ description: |-
+ Preconnect configures proactive upstream connections to reduce latency by establishing
+ connections before they’re needed and avoiding connection establishment overhead.
+
+ If unset, Envoy will fetch connections as needed to serve in-flight requests.
+ properties:
+ perEndpointPercent:
+ description: |-
+ PerEndpointPercent configures how many additional connections to maintain per
+ upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a
+ percentage of the connections required by active streams
+ (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×).
+
+ Allowed value range is between 100-300. When both PerEndpointPercent and
+ PredictivePercent are set, Envoy ensures both are satisfied (max of the two).
+ format: int32
+ maximum: 300
+ minimum: 100
+ type: integer
+ predictivePercent:
+ description: |-
+ PredictivePercent configures how many additional connections to maintain
+ across the cluster by anticipating which upstream endpoint the load balancer
+ will select next, useful for low-QPS services. Relies on deterministic
+ loadbalancing and is only supported with Random or RoundRobin.
+ Expressed as a percentage of the connections required by active streams
+ (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×).
+
+ Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are
+ set Envoy ensures both are satisfied per host (max of the two).
+ format: int32
+ minimum: 100
+ type: integer
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ lookupFamily:
+ description: |-
+ LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN).
+ If set, this configuration overrides other defaults.
+ enum:
+ - IPv4
+ - IPv6
+ - IPv4Preferred
+ - IPv6Preferred
+ - IPv4AndIPv6
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ hostname:
+ description: |-
+ Hostname defines the HTTP host that will be requested during health checking.
+ Default: HTTPRoute or GRPCRoute hostname.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ initialJitter:
+ description: |-
+ InitialJitter defines the maximum time Envoy will wait before the first health check.
+ Envoy will randomly select a value between 0 and the initial jitter value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a
+ backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) :
+ !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' :
+ true'
+ panicThreshold:
+ description: |-
+ When number of unhealthy endpoints for a backend reaches this threshold
+ Envoy will disregard health status and balance across all endpoints.
+ It's designed to prevent a situation in which host failures cascade throughout the cluster
+ as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base
+ duration for which a host will be ejected on
+ consecutive failures.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: ConsecutiveGatewayErrors sets the
+ number of consecutive gateway errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ failurePercentageThreshold:
+ description: |-
+ FailurePercentageThreshold sets the failure percentage threshold for outlier detection.
+ If the failure percentage of a given host is greater than or equal to this value, it will be ejected.
+ Defaults to 85.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be
+ ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash
+ policy when the consistent hash type is set
+ to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set
+ for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: |-
+ Header configures the header hash policy when the consistent hash type is set to Header.
+
+ Deprecated: use Headers instead
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ headers:
+ description: Headers configures the header hash
+ policy for each header, when the consistent
+ hash type is set to Headers.
+ items:
+ description: |-
+ Header defines the header hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ queryParams:
+ description: QueryParams configures the query
+ parameter hash policy when the consistent hash
+ type is set to QueryParams.
+ items:
+ description: |-
+ QueryParam defines the query parameter name hashing configuration for consistent hash based
+ load balancing.
+ properties:
+ name:
+ description: Name of the query param to
+ hash.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Headers",
+ "Cookie".
+ "QueryParams".
+ enum:
+ - SourceIP
+ - Header
+ - Headers
+ - Cookie
+ - QueryParams
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the
+ header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is headers, the
+ headers field must be set.
+ rule: 'self.type == ''Headers'' ? has(self.headers)
+ : !has(self.headers)'
+ - message: If consistent hash type is cookie, the
+ cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ - message: If consistent hash type is queryParams,
+ the queryParams field must be set.
+ rule: 'self.type == ''QueryParams'' ? has(self.queryParams)
+ : !has(self.queryParams)'
+ endpointOverride:
+ description: |-
+ EndpointOverride defines the configuration for endpoint override.
+ When specified, the load balancer will attempt to route requests to endpoints
+ based on the override information extracted from request headers or metadata.
+ If the override endpoints are not available, the configured load balancer policy will be used as fallback.
+ properties:
+ extractFrom:
+ description: ExtractFrom defines the sources to
+ extract endpoint override information from.
+ items:
+ description: EndpointOverrideExtractFrom defines
+ a source to extract endpoint override information
+ from.
+ properties:
+ header:
+ description: |-
+ Header defines the header to get the override endpoint addresses.
+ The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format.
+ For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`.
+ The IPv6 address is enclosed in square brackets.
+ type: string
+ type: object
+ maxItems: 10
+ minItems: 1
+ type: array
+ required:
+ - extractFrom
+ type: object
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ zoneAware:
+ description: ZoneAware defines the configuration related
+ to the distribution of requests between locality
+ zones.
+ properties:
+ preferLocal:
+ description: PreferLocalZone configures zone-aware
+ routing to prefer sending traffic to the local
+ locality zone.
+ properties:
+ force:
+ description: |-
+ ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior
+ which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.
+ properties:
+ minEndpointsInZoneThreshold:
+ description: |-
+ MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone
+ override. This is useful for protecting zones with fewer endpoints.
+ format: int32
+ type: integer
+ type: object
+ minEndpointsThreshold:
+ description: MinEndpointsThreshold is the
+ minimum number of total upstream endpoints
+ across all zones required to enable zone-aware
+ routing.
+ format: int64
+ type: integer
+ percentageEnabled:
+ description: Configures percentage of requests
+ that will be considered for zone aware routing
+ if zone aware routing is configured. If
+ not specified, Envoy defaults to 100%.
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
+ type: object
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ - message: Currently ZoneAware is only supported for LeastRequest,
+ Random, and RoundRobin load balancers.
+ rule: 'self.type == ''ConsistentHash'' ? !has(self.zoneAware)
+ : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numAttemptsPerPriority:
+ description: |-
+ NumAttemptsPerPriority defines the number of requests (initial attempt + retries)
+ that should be sent to the same priority before switching to a different one.
+ If not specified or set to 0, all requests are sent to the highest priority that is healthy.
+ format: int32
+ type: integer
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ maximum: 599
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - reset-before-request
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxStreamDuration:
+ description: |-
+ MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time
+ from when the request is sent until the response stream is fully consumed and does not apply to
+ non-streaming requests.
+ When set to "0s", no max duration is applied and streams can run indefinitely.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: predictivePercent in preconnect policy only works
+ with RoundRobin or Random load balancers
+ rule: '!((has(self.connection) && has(self.connection.preconnect)
+ && has(self.connection.preconnect.predictivePercent))
+ && !(has(self.loadBalancer) && has(self.loadBalancer.type)
+ && self.loadBalancer.type in [''Random'', ''RoundRobin'']))'
+ endSessionEndpoint:
+ description: |-
+ The OIDC Provider's [end session endpoint](https://openid.net/specs/openid-connect-core-1_0.html#RPLogout).
+
+ If the end session endpoint is provided, EG will use it to log out the user from the OIDC Provider when the user accesses the logout path.
+ EG will also try to discover the end session endpoint from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse) when authorizationEndpoint or tokenEndpoint is not provided.
+ type: string
+ issuer:
+ description: |-
+ The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+ Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
+ be https, a host component, and optionally, port and path components and
+ no query or fragment components.
+ minLength: 1
+ type: string
+ tokenEndpoint:
+ description: |-
+ The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ type: string
+ required:
+ - issuer
+ type: object
+ x-kubernetes-validations:
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: Retry timeout is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)?
+ !has(self.backendSettings.retry.perRetry.timeout):true):true):true
+ - message: HTTPStatusCodes is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)?
+ !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true
+ redirectURL:
+ description: |-
+ The redirect URL to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
+ type: string
+ refreshToken:
+ default: true
+ description: |-
+ RefreshToken indicates whether the Envoy should automatically refresh the
+ id token and access token when they expire.
+ When set to true, the Envoy will use the refresh token to get a new id token
+ and access token when they expire.
+
+ If not specified, defaults to true.
+ type: boolean
+ resources:
+ description: |-
+ The OIDC resources to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ items:
+ type: string
+ type: array
+ scopes:
+ description: |-
+ The OIDC scopes to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ The "openid" scope is always added to the list of scopes if not already
+ specified.
+ items:
+ type: string
+ type: array
+ required:
+ - clientSecret
+ - provider
+ type: object
+ x-kubernetes-validations:
+ - message: only one of clientID or clientIDRef must be set
+ rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
+ && has(self.clientIDRef))
+ targetRef:
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchExpressions:
+ description: MatchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true'
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute
+ rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
+ ''GRPCRoute'', ''TCPRoute''] : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true '
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
+ ''HTTPRoute'', ''GRPCRoute'', ''TCPRoute'']) : true '
+ - message: if authorization.rules.principal.jwt is used, jwt must be defined
+ rule: '(has(self.authorization) && has(self.authorization.rules) &&
+ self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt)
+ : true'
+ status:
+ description: Status defines the current status of SecurityPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: |-
+ Conditions describes the status of the Policy with respect to the given Ancestor.
+
+
+
+ Notes for implementors:
+
+ Conditions are a listType `map`, which means that they function like a
+ map with a key of the `type` field _in the k8s apiserver_.
+
+ This means that implementations must obey some rules when updating this
+ section.
+
+ * Implementations MUST perform a read-modify-write cycle on this field
+ before modifying it. That is, when modifying this field, implementations
+ must be confident they have fetched the most recent version of this field,
+ and ensure that changes they make are on that recent version.
+ * Implementations MUST NOT remove or reorder Conditions that they are not
+ directly responsible for. For example, if an implementation sees a Condition
+ with type `special.io/SomeField`, it MUST NOT remove, change or update that
+ Condition.
+ * Implementations MUST always _merge_ changes into Conditions of the same Type,
+ rather than creating more than one Condition of the same Type.
+ * Implementations MUST always update the `observedGeneration` field of the
+ Condition to the `metadata.generation` of the Gateway at the time of update creation.
+ * If the `observedGeneration` of a Condition is _greater than_ the value the
+ implementation knows about, then it MUST NOT perform the update on that Condition,
+ but must wait for a future reconciliation and status update. (The assumption is that
+ the implementation's copy of the object is stale and an update will be re-triggered
+ if relevant.)
+
+
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - conditions
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/sources/envoy-gateway/v1.7.1/templates/NOTES.txt b/sources/envoy-gateway/v1.7.1/templates/NOTES.txt
new file mode 100644
index 00000000..595c49bc
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/NOTES.txt
@@ -0,0 +1,20 @@
+**************************************************************************
+*** PLEASE BE PATIENT: Envoy Gateway may take a few minutes to install ***
+**************************************************************************
+
+Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway.
+
+Thank you for installing Envoy Gateway! 🎉
+
+Your release is named: {{ .Release.Name }}. 🎉
+
+Your release is in namespace: {{ .Release.Namespace }}. 🎉
+
+To learn more about the release, try:
+
+ $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
+ $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
+
+To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/tasks/quickstart.
+
+To get more details, please visit https://gateway.envoyproxy.io and https://github.com/envoyproxy/gateway.
diff --git a/sources/envoy-gateway/v1.7.1/templates/_helpers.tpl b/sources/envoy-gateway/v1.7.1/templates/_helpers.tpl
new file mode 100644
index 00000000..cbfcf8dd
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/_helpers.tpl
@@ -0,0 +1,187 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "eg.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "eg.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "eg.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "eg.labels" -}}
+helm.sh/chart: {{ include "eg.chart" . }}
+{{ include "eg.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "eg.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "eg.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "eg.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "eg.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+The name of the Envoy Gateway image.
+*/}}
+{{- define "eg.image" -}}
+{{/* if deployment-specific repository is defined, it takes precedence */}}
+{{- if .Values.deployment.envoyGateway.image.repository -}}
+{{/* if global.imageRegistry is defined, it takes precedence always */}}
+{{- if .Values.global.imageRegistry -}}
+{{- $repositoryParts := splitn "/" 2 .Values.deployment.envoyGateway.image.repository -}}
+{{- $registryName := .Values.global.imageRegistry -}}
+{{- $repositoryName := $repositoryParts._1 -}}
+{{- $imageTag := default .Chart.AppVersion .Values.deployment.envoyGateway.image.tag -}}
+{{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}}
+{{/* if global.imageRegistry is undefined, take repository as is */}}
+{{- else -}}
+{{- $imageTag := default .Chart.AppVersion .Values.deployment.envoyGateway.image.tag -}}
+{{- printf "%s:%s" .Values.deployment.envoyGateway.image.repository $imageTag -}}
+{{- end -}}
+{{/* else, global image is used if defined */}}
+{{- else if .Values.global.images.envoyGateway.image -}}
+{{- $imageParts := splitn "/" 2 .Values.global.images.envoyGateway.image -}}
+{{/* if global.imageRegistry is defined, it takes precedence always */}}
+{{- $registryName := default $imageParts._0 .Values.global.imageRegistry -}}
+{{- $repositoryTag := $imageParts._1 -}}
+{{- $repositoryParts := splitn ":" 2 $repositoryTag -}}
+{{- $repositoryName := $repositoryParts._0 -}}
+{{- $imageTag := $repositoryParts._1 -}}
+{{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}}
+{{- else -}}
+docker.io/envoyproxy/gateway:{{ .Chart.Version }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Pull policy for the Envoy Gateway image.
+*/}}
+{{- define "eg.image.pullPolicy" -}}
+{{- default .Values.deployment.envoyGateway.imagePullPolicy .Values.global.images.envoyGateway.pullPolicy -}}
+{{- end }}
+
+{{/*
+Pull secrets for the Envoy Gateway image.
+*/}}
+{{- define "eg.image.pullSecrets" -}}
+{{- if .Values.global.imagePullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.global.imagePullSecrets }}
+{{- else if .Values.deployment.envoyGateway.imagePullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.deployment.envoyGateway.imagePullSecrets }}
+{{- else if .Values.global.images.envoyGateway.pullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.global.images.envoyGateway.pullSecrets }}
+{{- else -}}
+imagePullSecrets: {{ toYaml list }}
+{{- end }}
+{{- end }}
+
+{{/*
+The name of the Envoy Ratelimit image.
+*/}}
+{{- define "eg.ratelimit.image" -}}
+{{- $imageParts := splitn "/" 2 .Values.global.images.ratelimit.image -}}
+{{/* if global.imageRegistry is defined, it takes precedence always */}}
+{{- $registryName := default $imageParts._0 .Values.global.imageRegistry -}}
+{{- $repositoryTag := $imageParts._1 -}}
+{{- $repositoryParts := splitn ":" 2 $repositoryTag -}}
+{{- $repositoryName := $repositoryParts._0 -}}
+{{- $imageTag := default "master" $repositoryParts._1 -}}
+{{- printf "%s/%s:%s" $registryName $repositoryName $imageTag -}}
+{{- end -}}
+
+{{/*
+Pull secrets for the Envoy Ratelimit image.
+*/}}
+{{- define "eg.ratelimit.image.pullSecrets" -}}
+{{- if .Values.global.imagePullSecrets }}
+imagePullSecrets:
+{{ toYaml .Values.global.imagePullSecrets }}
+{{- else if .Values.global.images.ratelimit.pullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.global.images.ratelimit.pullSecrets }}
+{{- else }}
+imagePullSecrets: {{ toYaml list }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+The default Envoy Gateway configuration.
+*/}}
+{{- define "eg.default-envoy-gateway-config" -}}
+provider:
+ type: Kubernetes
+ kubernetes:
+ rateLimitDeployment:
+ container:
+ image: {{ include "eg.ratelimit.image" . }}
+ {{- if (or .Values.global.imagePullSecrets .Values.global.images.ratelimit.pullSecrets) }}
+ pod:
+ {{- include "eg.ratelimit.image.pullSecrets" . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.global.images.ratelimit.pullPolicy }}
+ patch:
+ type: StrategicMerge
+ value:
+ spec:
+ template:
+ spec:
+ containers:
+ - name: envoy-ratelimit
+ imagePullPolicy: {{ . }}
+ {{- end }}
+ shutdownManager:
+ image: {{ include "eg.image" . }}
+{{- with .Values.config.envoyGateway.extensionApis }}
+extensionApis:
+ {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- if not .Values.topologyInjector.enabled }}
+proxyTopologyInjector:
+ disabled: true
+{{- end }}
+{{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/_rbac.tpl b/sources/envoy-gateway/v1.7.1/templates/_rbac.tpl
new file mode 100644
index 00000000..c8a07d18
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/_rbac.tpl
@@ -0,0 +1,273 @@
+{{/*
+All namespaced resources for Envoy Gateway RBAC.
+*/}}
+{{- define "eg.rbac.namespaced" -}}
+- {{ include "eg.rbac.namespaced.basic" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.apps" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.discovery" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.gateway.envoyproxy" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.gateway.envoyproxy.status" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.gateway.networking" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.gateway.networking.status" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.gateway.networking.experimental" . | nindent 2 | trim }}
+- {{ include "eg.rbac.namespaced.gateway.networking.experimental.status" . | nindent 2 | trim }}
+{{- if .Values.topologyInjector.enabled }}
+- {{ include "eg.rbac.namespaced.topologyinjector" . | nindent 2 | trim }}
+{{- end }}
+{{- end }}
+
+{{/*
+All cluster scoped resources for Envoy Gateway RBAC.
+*/}}
+{{- define "eg.rbac.cluster" -}}
+- {{ include "eg.rbac.cluster.basic" . | nindent 2 | trim }}
+- {{ include "eg.rbac.cluster.gateway.networking" . | nindent 2 | trim }}
+- {{ include "eg.rbac.cluster.gateway.networking.status" . | nindent 2 | trim }}
+- {{ include "eg.rbac.cluster.multiclusterservices" . | nindent 2 | trim }}
+{{- end }}
+
+{{/*
+Namespaced
+*/}}
+
+{{- define "eg.rbac.namespaced.basic" -}}
+apiGroups:
+- ""
+resources:
+- configmaps
+- secrets
+- services
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.topologyinjector" -}}
+apiGroups:
+- ""
+resources:
+- pods
+- pods/binding
+verbs:
+- get
+- list
+- patch
+- update
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.apps" -}}
+apiGroups:
+- apps
+resources:
+- deployments
+- daemonsets
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.discovery" -}}
+apiGroups:
+- discovery.k8s.io
+resources:
+- endpointslices
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.gateway.envoyproxy" -}}
+apiGroups:
+- gateway.envoyproxy.io
+resources:
+- envoyproxies
+- envoypatchpolicies
+- clienttrafficpolicies
+- backendtrafficpolicies
+- securitypolicies
+- envoyextensionpolicies
+- backends
+- httproutefilters
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.gateway.envoyproxy.status" -}}
+apiGroups:
+- gateway.envoyproxy.io
+resources:
+- envoypatchpolicies/status
+- clienttrafficpolicies/status
+- backendtrafficpolicies/status
+- securitypolicies/status
+- envoyextensionpolicies/status
+- backends/status
+verbs:
+- update
+{{- end }}
+
+{{- define "eg.rbac.namespaced.gateway.networking" -}}
+apiGroups:
+- gateway.networking.k8s.io
+resources:
+- gateways
+- grpcroutes
+- httproutes
+- referencegrants
+- tcproutes
+- tlsroutes
+- udproutes
+- backendtlspolicies
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.gateway.networking.status" -}}
+apiGroups:
+- gateway.networking.k8s.io
+resources:
+- gateways/status
+- grpcroutes/status
+- httproutes/status
+- tcproutes/status
+- tlsroutes/status
+- udproutes/status
+- backendtlspolicies/status
+verbs:
+- update
+{{- end }}
+
+{{- define "eg.rbac.namespaced.gateway.networking.experimental" -}}
+apiGroups:
+- gateway.networking.x-k8s.io
+resources:
+- xlistenersets
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.namespaced.gateway.networking.experimental.status" -}}
+apiGroups:
+- gateway.networking.x-k8s.io
+resources:
+- xlistenersets/status
+verbs:
+- update
+{{- end }}
+
+{{/*
+Cluster scope
+*/}}
+
+{{- define "eg.rbac.cluster.basic" -}}
+apiGroups:
+- ""
+resources:
+- nodes
+- namespaces
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.cluster.gateway.networking" -}}
+apiGroups:
+- gateway.networking.k8s.io
+resources:
+- gatewayclasses
+verbs:
+- get
+- list
+- patch
+- update
+- watch
+{{- end }}
+
+
+{{- define "eg.rbac.cluster.multiclusterservices" -}}
+apiGroups:
+- multicluster.x-k8s.io
+resources:
+- serviceimports
+verbs:
+- get
+- list
+- watch
+{{- end }}
+
+{{- define "eg.rbac.cluster.gateway.networking.status" -}}
+apiGroups:
+- gateway.networking.k8s.io
+resources:
+- gatewayclasses/status
+verbs:
+- update
+{{- end }}
+
+{{- define "eg.rbac.infra.basic" -}}
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts
+ - services
+ - configmaps
+ verbs:
+ - create
+ - get
+ - list
+ - delete
+ - deletecollection
+ - patch
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ - daemonsets
+ verbs:
+ - create
+ - get
+ - delete
+ - deletecollection
+ - patch
+- apiGroups:
+ - autoscaling
+ - policy
+ resources:
+ - horizontalpodautoscalers
+ - poddisruptionbudgets
+ verbs:
+ - create
+ - get
+ - list
+ - delete
+ - deletecollection
+ - patch
+- apiGroups:
+ - certificates.k8s.io
+ resources:
+ - clustertrustbundles
+ verbs:
+ - list
+ - get
+ - watch
+{{- end }}
+
+{{- define "eg.rbac.infra.tokenreview" -}}
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+{{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/certgen-rbac.yaml b/sources/envoy-gateway/v1.7.1/templates/certgen-rbac.yaml
new file mode 100644
index 00000000..5baf2fff
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/certgen-rbac.yaml
@@ -0,0 +1,127 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "eg.fullname" . }}-certgen
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+ {{- if .Values.certgen.rbac.labels }}
+ {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+ {{- if .Values.certgen.rbac.annotations }}
+ {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+ {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "eg.fullname" . }}-certgen
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+ {{- if .Values.certgen.rbac.labels }}
+ {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+ {{- if .Values.certgen.rbac.annotations }}
+ {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+ {{- end }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - create
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "eg.fullname" . }}-certgen
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+ {{- if .Values.certgen.rbac.labels }}
+ {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+ {{- if .Values.certgen.rbac.annotations }}
+ {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: '{{ include "eg.fullname" . }}-certgen'
+subjects:
+- kind: ServiceAccount
+ name: '{{ include "eg.fullname" . }}-certgen'
+ namespace: '{{ .Release.Namespace }}'
+---
+{{- if .Values.topologyInjector.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: '{{ include "eg.fullname" . }}-certgen:{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+ {{- if .Values.certgen.rbac.labels }}
+ {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+ {{- if .Values.certgen.rbac.annotations }}
+ {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+ {{- end }}
+rules:
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ resourceNames:
+ - 'envoy-gateway-topology-injector.{{ .Release.Namespace }}'
+ verbs:
+ - update
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: '{{ include "eg.fullname" . }}-certgen:{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+ {{- if .Values.certgen.rbac.labels }}
+ {{- toYaml .Values.certgen.rbac.labels | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD.
+ {{- if .Values.certgen.rbac.annotations }}
+ {{- toYaml .Values.certgen.rbac.annotations | nindent 4 -}}
+ {{- end }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: '{{ include "eg.fullname" . }}-certgen:{{ .Release.Namespace }}'
+subjects:
+ - kind: ServiceAccount
+ name: '{{ include "eg.fullname" . }}-certgen'
+ namespace: '{{ .Release.Namespace }}'
+{{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/certgen.yaml b/sources/envoy-gateway/v1.7.1/templates/certgen.yaml
new file mode 100644
index 00000000..7f5f7dc7
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/certgen.yaml
@@ -0,0 +1,79 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ include "eg.fullname" . }}-certgen
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ {{- if .Values.certgen.job.annotations }}
+ {{- toYaml .Values.certgen.job.annotations | nindent 4 -}}
+ {{- end }}
+spec:
+ backoffLimit: 1
+ completions: 1
+ parallelism: 1
+ template:
+ metadata:
+ labels:
+ app: certgen
+ {{- if .Values.certgen.job.pod.labels }}
+ {{- toYaml .Values.certgen.job.pod.labels | nindent 8 -}}
+ {{- end }}
+ {{- if .Values.certgen.job.pod.annotations }}
+ annotations:
+ {{- toYaml .Values.certgen.job.pod.annotations | nindent 8 -}}
+ {{- end }}
+ spec:
+ containers:
+ {{- $args := .Values.certgen.job.args }}
+ {{- if not .Values.topologyInjector.enabled }}
+ {{- $args = append $args "--disable-topology-injector" }}
+ {{- end }}
+ {{- if $args }}
+ - args:
+ {{- toYaml $args | nindent 8 }}
+ command:
+ - envoy-gateway
+ - certgen
+ {{- else }}
+ - command:
+ - envoy-gateway
+ - certgen
+ {{- end }}
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_CLUSTER_DOMAIN
+ value: {{ .Values.kubernetesClusterDomain }}
+ image: {{ include "eg.image" . }}
+ imagePullPolicy: {{ include "eg.image.pullPolicy" . }}
+ name: envoy-gateway-certgen
+ {{- with .Values.certgen.job.resources }}
+ resources:
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.certgen.job.securityContext | nindent 10 }}
+ {{- include "eg.image.pullSecrets" . | nindent 6 }}
+ {{- with .Values.certgen.job.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certgen.job.nodeSelector }}
+ nodeSelector:
+ {{ toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certgen.job.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ restartPolicy: Never
+ serviceAccountName: {{ include "eg.fullname" . }}-certgen
+ {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }}
+ ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }}
+ {{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-config.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-config.yaml
new file mode 100644
index 00000000..8fc1d2df
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-config.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: envoy-gateway-config
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+data:
+ envoy-gateway.yaml: |
+ apiVersion: gateway.envoyproxy.io/v1alpha1
+ kind: EnvoyGateway
+ {{- $baseEnvoyGatewayConfig := include "eg.default-envoy-gateway-config" . | fromYaml }}
+ {{- $userEnvoyGatewayConfig := .Values.config.envoyGateway }}
+ {{- $mergedEnvoyGatewayConfig := merge $userEnvoyGatewayConfig $baseEnvoyGatewayConfig }}
+ {{- toYaml $mergedEnvoyGatewayConfig | nindent 4 }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-deployment.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-deployment.yaml
new file mode 100644
index 00000000..1af77a64
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-deployment.yaml
@@ -0,0 +1,110 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+ {{- with .Values.deployment.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ control-plane: envoy-gateway
+ {{- include "eg.labels" . | nindent 4 }}
+spec:
+{{- if not .Values.hpa.enabled }}
+ replicas: {{ .Values.deployment.replicas }}
+{{- end }}
+ selector:
+ matchLabels:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.deployment.pod.annotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 8 }}
+ {{- with .Values.deployment.pod.labels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.deployment.pod.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.deployment.pod.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.deployment.pod.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with .Values.deployment.pod.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ containers:
+ - args:
+ - server
+ - --config-path=/config/envoy-gateway.yaml
+ env:
+ - name: ENVOY_GATEWAY_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: KUBERNETES_CLUSTER_DOMAIN
+ value: {{ .Values.kubernetesClusterDomain }}
+ image: {{ include "eg.image" . }}
+ imagePullPolicy: {{ include "eg.image.pullPolicy" . }}
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8081
+ initialDelaySeconds: 15
+ periodSeconds: 20
+ name: envoy-gateway
+ ports:
+ {{- range .Values.deployment.ports }}
+ - containerPort: {{ .port }}
+ name: {{ .name }}
+ {{- end}}
+ {{- if .Values.topologyInjector.enabled }}
+ - name: webhook
+ containerPort: 9443
+ {{- end }}
+ readinessProbe:
+ httpGet:
+ path: /readyz
+ port: 8081
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ resources:
+ {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
+ securityContext:
+ {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }}
+ volumeMounts:
+ - mountPath: /config
+ name: envoy-gateway-config
+ readOnly: true
+ - mountPath: /certs
+ name: certs
+ readOnly: true
+ {{- include "eg.image.pullSecrets" . | nindent 6 }}
+ {{- with .Values.deployment.priorityClassName }}
+ priorityClassName: {{ . | quote }}
+ {{- end }}
+ serviceAccountName: envoy-gateway
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - configMap:
+ defaultMode: 420
+ name: envoy-gateway-config
+ name: envoy-gateway-config
+ - name: certs
+ secret:
+ secretName: envoy-gateway
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-hpa.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-hpa.yaml
new file mode 100644
index 00000000..5fd341ca
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-hpa.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.hpa.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: envoy-gateway
+ namespace: '{{ $.Release.Namespace }}'
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: envoy-gateway
+ {{- if .Values.hpa.minReplicas }}
+ minReplicas: {{ .Values.hpa.minReplicas }}
+ {{- end }}
+ maxReplicas: {{ required ".Values.hps.maxReplicas is required when hpa is enabled" .Values.hpa.maxReplicas }}
+ {{- if .Values.hpa.behavior }}
+ behavior:
+{{ toYaml .Values.hpa.behavior | indent 4 }}
+ {{- end }}
+{{- if .Values.hpa.metrics }}
+ metrics:
+{{ toYaml .Values.hpa.metrics | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-poddisruptionbudget.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-poddisruptionbudget.yaml
new file mode 100644
index 00000000..8e0bca0f
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if or (and .Values.podDisruptionBudget.minAvailable (ge (int .Values.podDisruptionBudget.minAvailable) 1) ) (and .Values.podDisruptionBudget.maxUnavailable (ge (int .Values.podDisruptionBudget.maxUnavailable) 1) )}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+spec:
+ {{- if and .Values.podDisruptionBudget.minAvailable }}
+ minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+ {{- end }}
+ {{- if .Values.podDisruptionBudget.maxUnavailable }}
+ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+ {{- end }}
+ selector:
+ matchLabels:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+{{- end }}
\ No newline at end of file
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-rbac.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-rbac.yaml
new file mode 100644
index 00000000..e07c25f9
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-rbac.yaml
@@ -0,0 +1,82 @@
+{{ $watchedNamespaces := list }}
+{{ if .Values.config.envoyGateway.provider.kubernetes }}
+{{ $kube := .Values.config.envoyGateway.provider.kubernetes }}
+{{ if $kube.watch }}
+{{ if $kube.watch.namespaces }}
+{{ if gt (len $kube.watch.namespaces) 0 }}
+{{ $watchedNamespaces = $kube.watch.namespaces }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{ if gt (len $watchedNamespaces) 0 }}
+{{ range $_, $ns := $watchedNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ creationTimestamp: null
+ name: {{ include "eg.fullname" $ }}-envoy-gateway-role
+ namespace: {{ $ns | quote }}
+rules:
+{{ include "eg.rbac.namespaced" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "eg.fullname" $ }}-envoy-gateway-rolebinding
+ namespace: {{ $ns | quote }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "eg.fullname" $ }}-envoy-gateway-role
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ $.Release.Namespace }}'
+{{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: {{ include "eg.fullname" . }}-envoy-gateway-role
+rules:
+{{ include "eg.rbac.cluster" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "eg.fullname" . }}-envoy-gateway-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "eg.fullname" . }}-envoy-gateway-role
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ .Release.Namespace }}'
+{{ else }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ creationTimestamp: null
+ name: {{ include "eg.fullname" . }}-envoy-gateway-role
+rules:
+{{ include "eg.rbac.cluster" . }}
+{{ include "eg.rbac.namespaced" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "eg.fullname" . }}-envoy-gateway-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "eg.fullname" . }}-envoy-gateway-role
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ .Release.Namespace }}'
+{{ end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-service.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-service.yaml
new file mode 100644
index 00000000..bc2a1a31
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-service.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+ {{- with .Values.service.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ control-plane: envoy-gateway
+ {{- include "eg.labels" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }}
+ loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+ {{- end }}
+ selector:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 4 }}
+ ports:
+ {{- .Values.deployment.ports | toYaml | nindent 2 -}}
+ {{- if .Values.topologyInjector.enabled }}
+ - name: webhook
+ port: 9443
+ targetPort: 9443
+ {{- end }}
+ {{- with .Values.service.trafficDistribution }}
+ trafficDistribution: {{ . }}
+ {{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-serviceaccount.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-serviceaccount.yaml
new file mode 100644
index 00000000..23af6fee
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-gateway-serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/envoy-proxy-topology-injector-webhook.yaml b/sources/envoy-gateway/v1.7.1/templates/envoy-proxy-topology-injector-webhook.yaml
new file mode 100644
index 00000000..159c4e59
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/envoy-proxy-topology-injector-webhook.yaml
@@ -0,0 +1,63 @@
+{{- if .Values.topologyInjector.enabled }}
+
+{{ $watchedNamespaces := list }}
+{{ $gatewayNamespaceMode := false}}
+{{- if .Values.config.envoyGateway.provider.kubernetes }}
+{{- $kube := .Values.config.envoyGateway.provider.kubernetes }}
+{{- $gatewayNamespaceMode = and ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") }}
+{{- if $kube.watch }}
+{{- if $kube.watch.namespaces }}
+{{- if gt (len $kube.watch.namespaces) 0 }}
+{{- $watchedNamespaces = $kube.watch.namespaces }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: 'envoy-gateway-topology-injector.{{ .Release.Namespace }}'
+ annotations:
+ "helm.sh/hook": pre-install, pre-upgrade
+ "helm.sh/hook-weight": "-1"
+ {{- if .Values.topologyInjector.annotations }}
+ {{- toYaml .Values.topologyInjector.annotations | nindent 4 -}}
+ {{- end }}
+ labels:
+ app.kubernetes.io/component: topology-injector
+ {{- include "eg.labels" . | nindent 4 }}
+webhooks:
+ - name: topology.webhook.gateway.envoyproxy.io
+ admissionReviewVersions: ["v1"]
+ sideEffects: None
+ clientConfig:
+ service:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+ path: "/inject-pod-topology"
+ port: 9443
+ failurePolicy: Ignore
+ rules:
+ - operations: ["CREATE"]
+ apiGroups: [""]
+ apiVersions: ["v1"]
+ resources: ["pods/binding"]
+ {{- if not $gatewayNamespaceMode }}
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ - {{ .Release.Namespace }}
+ {{- else if gt (len $watchedNamespaces) 0 }}
+ namespaceSelector:
+ matchExpressions:
+ - key: kubernetes.io/metadata.name
+ operator: In
+ values:
+ {{- range $watchedNamespaces }}
+ - {{ . | quote }}
+ {{- end }}
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/sources/envoy-gateway/v1.7.1/templates/infra-manager-rbac.yaml b/sources/envoy-gateway/v1.7.1/templates/infra-manager-rbac.yaml
new file mode 100644
index 00000000..d435093c
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/infra-manager-rbac.yaml
@@ -0,0 +1,60 @@
+{{ if .Values.config.envoyGateway.provider.kubernetes }}
+{{ $kube := .Values.config.envoyGateway.provider.kubernetes }}
+{{/* Create ClusterRole for GatewayNamespace mode when:
+ 1. No watch config is set, OR
+ 2. Watch is configured with type NamespaceSelector
+*/}}
+{{ if and ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") (or (not $kube.watch) (and $kube.watch (eq $kube.watch.type "NamespaceSelector"))) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "eg.fullname" $ }}-cluster-infra-manager
+ labels:
+ {{- include "eg.labels" $ | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.basic" . }}
+{{ include "eg.rbac.infra.tokenreview" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "eg.fullname" $ }}-cluster-infra-manager
+ labels:
+ {{- include "eg.labels" $ | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: '{{ include "eg.fullname" $ }}-cluster-infra-manager'
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ $.Release.Namespace }}'
+---
+{{ end }}
+{{ end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "eg.fullname" . }}-infra-manager
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.basic" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "eg.fullname" . }}-infra-manager
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: '{{ include "eg.fullname" . }}-infra-manager'
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ .Release.Namespace }}'
diff --git a/sources/envoy-gateway/v1.7.1/templates/leader-election-rbac.yaml b/sources/envoy-gateway/v1.7.1/templates/leader-election-rbac.yaml
new file mode 100644
index 00000000..5b59f34c
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/leader-election-rbac.yaml
@@ -0,0 +1,55 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "eg.fullname" . }}-leader-election-role
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "eg.fullname" . }}-leader-election-rolebinding
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: '{{ include "eg.fullname" . }}-leader-election-role'
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ .Release.Namespace }}'
diff --git a/sources/envoy-gateway/v1.7.1/templates/namespace.yaml b/sources/envoy-gateway/v1.7.1/templates/namespace.yaml
new file mode 100644
index 00000000..6a7477b9
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/namespace.yaml
@@ -0,0 +1,6 @@
+{{ if .Values.createNamespace }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: '{{ .Release.Namespace }}'
+{{ end }}
diff --git a/sources/envoy-gateway/v1.7.1/templates/namespaced-infra-manager-rbac.yaml b/sources/envoy-gateway/v1.7.1/templates/namespaced-infra-manager-rbac.yaml
new file mode 100644
index 00000000..84057a92
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/templates/namespaced-infra-manager-rbac.yaml
@@ -0,0 +1,66 @@
+{{ $watchedNamespaces := list }}
+{{ if .Values.config.envoyGateway.provider.kubernetes }}
+{{ $kube := .Values.config.envoyGateway.provider.kubernetes }}
+{{ if and ($kube.watch) ($kube.deploy) (eq $kube.deploy.type "GatewayNamespace") }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "eg.fullname" $ }}-infra-manager-tokenreview
+ labels:
+ {{- include "eg.labels" $ | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.tokenreview" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "eg.fullname" $ }}-infra-manager-tokenreview
+ labels:
+ {{- include "eg.labels" $ | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: '{{ include "eg.fullname" $ }}-infra-manager-tokenreview'
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ $.Release.Namespace }}'
+{{ if $kube.watch.namespaces }}
+{{ if gt (len $kube.watch.namespaces) 0 }}
+{{ $watchedNamespaces = $kube.watch.namespaces }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{ end }}
+{{ if gt (len $watchedNamespaces) 0 }}
+{{ range $_, $ns := $watchedNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "eg.fullname" $ }}-namespaced-infra-manager
+ namespace: {{ $ns | quote }}
+ labels:
+ {{- include "eg.labels" $ | nindent 4 }}
+rules:
+{{ include "eg.rbac.infra.basic" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "eg.fullname" $ }}-namespaced-infra-manager
+ namespace: {{ $ns | quote }}
+ labels:
+ {{- include "eg.labels" $ | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: '{{ include "eg.fullname" $ }}-namespaced-infra-manager'
+subjects:
+- kind: ServiceAccount
+ name: 'envoy-gateway'
+ namespace: '{{ $.Release.Namespace }}'
+---
+{{- end }}
+{{- end }}
diff --git a/sources/envoy-gateway/v1.7.1/values.yaml b/sources/envoy-gateway/v1.7.1/values.yaml
new file mode 100644
index 00000000..12254cd6
--- /dev/null
+++ b/sources/envoy-gateway/v1.7.1/values.yaml
@@ -0,0 +1,147 @@
+# Global settings
+global:
+ # If set, these take highest precedence and change both envoyGateway and ratelimit's container registry and pull secrets.
+ # -- Global override for image registry
+ imageRegistry: ""
+ # -- Global override for image pull secrets
+ imagePullSecrets: []
+
+ # If set, these override image-specific values: useful when installing the chart in a private registry environment.
+ # Override image-specific values directly if a global override is not desired.
+ images:
+ envoyGateway:
+ # This is the full image name including the hub, repo, and tag.
+ image: docker.io/envoyproxy/gateway:v1.7.1
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
+ ratelimit:
+ # This is the full image name including the hub, repo, and tag.
+ image: "docker.io/envoyproxy/ratelimit:c8765e89"
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
+
+podDisruptionBudget:
+ minAvailable: 0
+ # maxUnavailable: 1
+
+deployment:
+ annotations: {}
+ envoyGateway:
+ image:
+ # if both this and global.imageRegistry are specified, this has to include both registry and repository explicitly, eg docker.io/envoyproxy/gateway
+ repository: ""
+ tag: ""
+ imagePullPolicy: ""
+ imagePullSecrets: []
+ resources:
+ limits:
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 256Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ runAsNonRoot: true
+ runAsGroup: 65532
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ ports:
+ - name: grpc
+ port: 18000
+ targetPort: 18000
+ - name: ratelimit
+ port: 18001
+ targetPort: 18001
+ - name: wasm
+ port: 18002
+ targetPort: 18002
+ - name: metrics
+ port: 19001
+ targetPort: 19001
+ priorityClassName: null
+ replicas: 1
+ pod:
+ affinity: {}
+ annotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '19001'
+ labels: {}
+ topologySpreadConstraints: []
+ tolerations: []
+ nodeSelector: {}
+
+service:
+ # If set to PreferClose, the Envoy fleet will prioritize connecting to the Envoy Gateway pods that are topologically closest to them.
+ trafficDistribution: ""
+ annotations: {}
+ # -- Service type. Can be set to LoadBalancer with specific IP, e.g.:
+ # type: LoadBalancer
+ # loadBalancerIP: 10.236.90.20
+ type: "ClusterIP"
+
+hpa:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 1
+ metrics: []
+ behavior: {}
+
+config:
+# -- EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options.
+ envoyGateway:
+ gateway:
+ controllerName: gateway.envoyproxy.io/gatewayclass-controller
+ provider:
+ type: Kubernetes
+ logging:
+ level:
+ default: info
+ extensionApis: {}
+
+createNamespace: false
+
+kubernetesClusterDomain: cluster.local
+
+# -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected.
+certgen:
+ job:
+ annotations: {}
+ args: []
+ pod:
+ annotations: {}
+ labels: {}
+ resources: {}
+ affinity: {}
+ tolerations: []
+ nodeSelector: {}
+ ttlSecondsAfterFinished: 30
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsGroup: 65532
+ runAsUser: 65532
+ seccompProfile:
+ type: RuntimeDefault
+ rbac:
+ annotations: {}
+ labels: {}
+
+topologyInjector:
+ enabled: true
+ annotations: {}
diff --git a/sources/gitea-config/templates/gitea-httproute.yaml b/sources/gitea-config/templates/gitea-httproute.yaml
index 09da5699..a8ce2b2a 100644
--- a/sources/gitea-config/templates/gitea-httproute.yaml
+++ b/sources/gitea-config/templates/gitea-httproute.yaml
@@ -9,7 +9,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ''
diff --git a/sources/keycloak-config/templates/keycloak-httproute.yaml b/sources/keycloak-config/templates/keycloak-httproute.yaml
index 93c65f43..0092eb12 100644
--- a/sources/keycloak-config/templates/keycloak-httproute.yaml
+++ b/sources/keycloak-config/templates/keycloak-httproute.yaml
@@ -9,7 +9,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ""
diff --git a/sources/keycloak-old/templates/es-airm-realm-credentials.yaml b/sources/keycloak-old/templates/es-airm-realm-credentials.yaml
index eddf2c8d..2d36cf9c 100644
--- a/sources/keycloak-old/templates/es-airm-realm-credentials.yaml
+++ b/sources/keycloak-old/templates/es-airm-realm-credentials.yaml
@@ -4,9 +4,6 @@ kind: ExternalSecret
metadata:
name: airm-realm-credentials
namespace: keycloak
- annotations:
- argocd.argoproj.io/hook: PreSync
- argocd.argoproj.io/hook-weight: "-15"
spec:
data:
- remoteRef:
diff --git a/sources/keycloak-old/templates/es-keycloak-credentials.yaml b/sources/keycloak-old/templates/es-keycloak-credentials.yaml
index cecb6da9..0c17362c 100644
--- a/sources/keycloak-old/templates/es-keycloak-credentials.yaml
+++ b/sources/keycloak-old/templates/es-keycloak-credentials.yaml
@@ -4,9 +4,6 @@ kind: ExternalSecret
metadata:
name: keycloak-credentials
namespace: keycloak
- annotations:
- argocd.argoproj.io/hook: PreSync
- argocd.argoproj.io/hook-weight: "-15"
spec:
data:
- remoteRef:
diff --git a/sources/keycloak-old/templates/keycloak-route.yaml b/sources/keycloak-old/templates/keycloak-route.yaml
index 116f8bba..f75669af 100644
--- a/sources/keycloak-old/templates/keycloak-route.yaml
+++ b/sources/keycloak-old/templates/keycloak-route.yaml
@@ -9,7 +9,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ""
diff --git a/sources/kgateway-config/Chart.yaml b/sources/kgateway-config/Chart.yaml
deleted file mode 100644
index 72542e0e..00000000
--- a/sources/kgateway-config/Chart.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v2
-name: kgateway-config
-description: A Helm chart with CR config for kgateway
-version: 0.1.0
diff --git a/sources/kgateway-config/templates/HTTPListenerPolicy_access-logs.yaml b/sources/kgateway-config/templates/HTTPListenerPolicy_access-logs.yaml
deleted file mode 100644
index 99268b72..00000000
--- a/sources/kgateway-config/templates/HTTPListenerPolicy_access-logs.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: HTTPListenerPolicy
-metadata:
- name: access-logs
- namespace: kgateway-system
-spec:
- targetRefs:
- - group: gateway.networking.k8s.io
- kind: Gateway
- name: https
- accessLog:
- - fileSink:
- path: /dev/stdout
- jsonFormat:
- start_time: "%START_TIME%"
- method: "%REQ(X-ENVOY-ORIGINAL-METHOD?:METHOD)%"
- path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
- protocol: "%PROTOCOL%"
- response_code: "%RESPONSE_CODE%"
- response_flags: "%RESPONSE_FLAGS%"
- bytes_received: "%BYTES_RECEIVED%"
- bytes_sent: "%BYTES_SENT%"
- total_duration: "%DURATION%"
- resp_backend_service_time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
- req_x_forwarded_for: "%REQ(X-FORWARDED-FOR)%"
- user_agent: "%REQ(USER-AGENT)%"
- request_id: "%REQ(X-REQUEST-ID)%"
- authority: "%REQ(:AUTHORITY)%"
- backendHost: "%UPSTREAM_HOST%"
- backendCluster: "%UPSTREAM_CLUSTER%"
\ No newline at end of file
diff --git a/sources/kgateway-config/templates/HTTPListenerPolicy_websocket.yaml b/sources/kgateway-config/templates/HTTPListenerPolicy_websocket.yaml
deleted file mode 100644
index 27fcb987..00000000
--- a/sources/kgateway-config/templates/HTTPListenerPolicy_websocket.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: gateway.kgateway.dev/v1alpha1
-kind: HTTPListenerPolicy
-metadata:
- name: upgrades
- namespace: kgateway-system
-spec:
- targetRefs:
- - group: gateway.networking.k8s.io
- kind: Gateway
- name: https
- upgradeConfig:
- enabledUpgrades:
- - websocket
-
\ No newline at end of file
diff --git a/sources/kgateway-config/values.yaml b/sources/kgateway-config/values.yaml
deleted file mode 100644
index f97ac442..00000000
--- a/sources/kgateway-config/values.yaml
+++ /dev/null
@@ -1 +0,0 @@
-domain: # to be filled by cluster-forge app
diff --git a/sources/kgateway-crds/source.yaml b/sources/kgateway-crds/source.yaml
deleted file mode 100644
index bcef57e3..00000000
--- a/sources/kgateway-crds/source.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-sourceUrl: oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds
-sourceVersion: v2.1.0-main
diff --git a/sources/kgateway-crds/v2.0.4/Chart.yaml b/sources/kgateway-crds/v2.0.4/Chart.yaml
deleted file mode 100644
index 790cb44b..00000000
--- a/sources/kgateway-crds/v2.0.4/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-appVersion: 1.16.0
-description: A Helm chart for the kgateway project CRDs
-name: kgateway-crds
-type: application
-version: v2.0.4
diff --git a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_backends.yaml b/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_backends.yaml
deleted file mode 100644
index 2c5ff55d..00000000
--- a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_backends.yaml
+++ /dev/null
@@ -1,607 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: backends.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: Backend
- listKind: BackendList
- plural: backends
- singular: backend
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Which backend type?
- jsonPath: .spec.type
- name: Type
- type: string
- - description: The age of the backend.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- ai:
- maxProperties: 1
- minProperties: 1
- properties:
- llm:
- properties:
- hostOverride:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- provider:
- maxProperties: 1
- minProperties: 1
- properties:
- anthropic:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - authToken
- type: object
- azureopenai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- deploymentName:
- minLength: 1
- type: string
- endpoint:
- minLength: 1
- type: string
- required:
- - apiVersion
- - authToken
- - deploymentName
- - endpoint
- type: object
- gemini:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - apiVersion
- - authToken
- - model
- type: object
- openai:
- properties:
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - authToken
- type: object
- vertexai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- location:
- minLength: 1
- type: string
- model:
- minLength: 1
- type: string
- modelPath:
- type: string
- projectId:
- minLength: 1
- type: string
- publisher:
- enum:
- - GOOGLE
- type: string
- required:
- - apiVersion
- - authToken
- - location
- - model
- - projectId
- - publisher
- type: object
- type: object
- required:
- - provider
- type: object
- multipool:
- properties:
- priorities:
- items:
- properties:
- pool:
- items:
- properties:
- hostOverride:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- provider:
- maxProperties: 1
- minProperties: 1
- properties:
- anthropic:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - authToken
- type: object
- azureopenai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- deploymentName:
- minLength: 1
- type: string
- endpoint:
- minLength: 1
- type: string
- required:
- - apiVersion
- - authToken
- - deploymentName
- - endpoint
- type: object
- gemini:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - apiVersion
- - authToken
- - model
- type: object
- openai:
- properties:
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - authToken
- type: object
- vertexai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- location:
- minLength: 1
- type: string
- model:
- minLength: 1
- type: string
- modelPath:
- type: string
- projectId:
- minLength: 1
- type: string
- publisher:
- enum:
- - GOOGLE
- type: string
- required:
- - apiVersion
- - authToken
- - location
- - model
- - projectId
- - publisher
- type: object
- type: object
- required:
- - provider
- type: object
- maxItems: 20
- minItems: 1
- type: array
- type: object
- maxItems: 20
- minItems: 1
- type: array
- required:
- - priorities
- type: object
- type: object
- x-kubernetes-validations:
- - message: There must one and only one LLM or MultiPool can be set
- rule: (has(self.llm) && !has(self.multipool)) || (!has(self.llm)
- && has(self.multipool))
- aws:
- properties:
- accountId:
- maxLength: 12
- minLength: 1
- pattern: ^[0-9]{12}$
- type: string
- auth:
- properties:
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- type:
- enum:
- - Secret
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: secretRef must be nil if the type is not 'Secret'
- rule: '!(has(self.secretRef) && self.type != ''Secret'')'
- - message: secretRef must be specified when type is 'Secret'
- rule: '!(!has(self.secretRef) && self.type == ''Secret'')'
- lambda:
- properties:
- endpointURL:
- maxLength: 2048
- pattern: ^https?://[-a-zA-Z0-9@:%.+~#?&/=]+$
- type: string
- functionName:
- pattern: ^[A-Za-z0-9-_]{1,140}$
- type: string
- invocationMode:
- default: Sync
- enum:
- - Sync
- - Async
- type: string
- qualifier:
- pattern: ^(\$LATEST|[0-9]+|[A-Za-z0-9-_]{1,128})$
- type: string
- required:
- - functionName
- type: object
- region:
- default: us-east-1
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9-]+$
- type: string
- required:
- - accountId
- type: object
- static:
- properties:
- hosts:
- items:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- minItems: 1
- type: array
- type: object
- type:
- enum:
- - AI
- - AWS
- - Static
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: ai backend must be nil if the type is not 'ai'
- rule: '!(has(self.ai) && self.type != ''AI'')'
- - message: ai backend must be specified when type is 'ai'
- rule: '!(!has(self.ai) && self.type == ''AI'')'
- - message: aws backend must be nil if the type is not 'aws'
- rule: '!(has(self.aws) && self.type != ''AWS'')'
- - message: aws backend must be specified when type is 'aws'
- rule: '!(!has(self.aws) && self.type == ''AWS'')'
- - message: static backend must be nil if the type is not 'static'
- rule: '!(has(self.static) && self.type != ''Static'')'
- - message: static backend must be specified when type is 'static'
- rule: '!(!has(self.static) && self.type == ''Static'')'
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_directresponses.yaml b/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_directresponses.yaml
deleted file mode 100644
index 17e2d925..00000000
--- a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_directresponses.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: directresponses.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: DirectResponse
- listKind: DirectResponseList
- plural: directresponses
- singular: directresponse
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- body:
- maxLength: 4096
- type: string
- status:
- format: int32
- maximum: 599
- minimum: 200
- type: integer
- required:
- - status
- type: object
- status:
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_gatewayextensions.yaml b/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_gatewayextensions.yaml
deleted file mode 100644
index 7b7104da..00000000
--- a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_gatewayextensions.yaml
+++ /dev/null
@@ -1,212 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: gatewayextensions.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: GatewayExtension
- listKind: GatewayExtensionList
- plural: gatewayextensions
- singular: gatewayextension
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Which extension type?
- jsonPath: .spec.type
- name: Type
- type: string
- - description: The age of the gatewayextension.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- extAuth:
- properties:
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- required:
- - backendRef
- type: object
- required:
- - grpcService
- type: object
- extProc:
- properties:
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- required:
- - backendRef
- type: object
- required:
- - grpcService
- type: object
- type:
- enum:
- - ExtAuth
- - ExtProc
- - Extended
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: ExtAuth must be set when type is ExtAuth
- rule: self.type != 'ExtAuth' || has(self.extAuth)
- - message: ExtProc must be set when type is ExtProc
- rule: self.type != 'ExtProc' || has(self.extProc)
- - message: ExtAuth must not be set when type is not ExtAuth
- rule: self.type == 'ExtAuth' || !has(self.extAuth)
- - message: ExtProc must not be set when type is not ExtProc
- rule: self.type == 'ExtProc' || !has(self.extProc)
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_gatewayparameters.yaml b/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_gatewayparameters.yaml
deleted file mode 100644
index d137f77f..00000000
--- a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_gatewayparameters.yaml
+++ /dev/null
@@ -1,2143 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: gatewayparameters.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: GatewayParameters
- listKind: GatewayParametersList
- plural: gatewayparameters
- singular: gatewayparameters
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- kube:
- properties:
- aiExtension:
- properties:
- enabled:
- type: boolean
- env:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- valueFrom:
- properties:
- configMapKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- properties:
- apiVersion:
- type: string
- fieldPath:
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- properties:
- containerName:
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- ports:
- items:
- properties:
- containerPort:
- format: int32
- type: integer
- hostIP:
- type: string
- hostPort:
- format: int32
- type: integer
- name:
- type: string
- protocol:
- default: TCP
- type: string
- required:
- - containerPort
- type: object
- type: array
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- stats:
- properties:
- customLabels:
- items:
- properties:
- keyDelimiter:
- type: string
- metadataKey:
- minLength: 1
- type: string
- metadataNamespace:
- enum:
- - envoy.filters.http.jwt_authn
- - io.solo.transformation
- type: string
- name:
- minLength: 1
- type: string
- required:
- - metadataKey
- - name
- type: object
- type: array
- type: object
- type: object
- deployment:
- properties:
- replicas:
- format: int32
- type: integer
- type: object
- envoyContainer:
- properties:
- bootstrap:
- properties:
- componentLogLevels:
- additionalProperties:
- type: string
- type: object
- logLevel:
- type: string
- type: object
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- floatingUserId:
- type: boolean
- istio:
- properties:
- customSidecars:
- items:
- properties:
- args:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- env:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- valueFrom:
- properties:
- configMapKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- properties:
- apiVersion:
- type: string
- fieldPath:
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- properties:
- containerName:
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- envFrom:
- items:
- properties:
- configMapRef:
- properties:
- name:
- default: ""
- type: string
- optional:
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- prefix:
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- optional:
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: array
- x-kubernetes-list-type: atomic
- image:
- type: string
- imagePullPolicy:
- type: string
- lifecycle:
- properties:
- postStart:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- sleep:
- properties:
- seconds:
- format: int64
- type: integer
- required:
- - seconds
- type: object
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- type: object
- preStop:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- sleep:
- properties:
- seconds:
- format: int64
- type: integer
- required:
- - seconds
- type: object
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- type: object
- stopSignal:
- type: string
- type: object
- livenessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- name:
- type: string
- ports:
- items:
- properties:
- containerPort:
- format: int32
- type: integer
- hostIP:
- type: string
- hostPort:
- format: int32
- type: integer
- name:
- type: string
- protocol:
- default: TCP
- type: string
- required:
- - containerPort
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - containerPort
- - protocol
- x-kubernetes-list-type: map
- readinessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- resizePolicy:
- items:
- properties:
- resourceName:
- type: string
- restartPolicy:
- type: string
- required:
- - resourceName
- - restartPolicy
- type: object
- type: array
- x-kubernetes-list-type: atomic
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- restartPolicy:
- type: string
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- startupProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- stdin:
- type: boolean
- stdinOnce:
- type: boolean
- terminationMessagePath:
- type: string
- terminationMessagePolicy:
- type: string
- tty:
- type: boolean
- volumeDevices:
- items:
- properties:
- devicePath:
- type: string
- name:
- type: string
- required:
- - devicePath
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - devicePath
- x-kubernetes-list-type: map
- volumeMounts:
- items:
- properties:
- mountPath:
- type: string
- mountPropagation:
- type: string
- name:
- type: string
- readOnly:
- type: boolean
- recursiveReadOnly:
- type: string
- subPath:
- type: string
- subPathExpr:
- type: string
- required:
- - mountPath
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - mountPath
- x-kubernetes-list-type: map
- workingDir:
- type: string
- required:
- - name
- type: object
- type: array
- istioProxyContainer:
- properties:
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- istioDiscoveryAddress:
- type: string
- istioMetaClusterId:
- type: string
- istioMetaMeshId:
- type: string
- logLevel:
- type: string
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- type: object
- podTemplate:
- properties:
- affinity:
- properties:
- nodeAffinity:
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- preference:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- x-kubernetes-map-type: atomic
- weight:
- format: int32
- type: integer
- required:
- - preference
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- properties:
- nodeSelectorTerms:
- items:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- x-kubernetes-map-type: atomic
- type: array
- x-kubernetes-list-type: atomic
- required:
- - nodeSelectorTerms
- type: object
- x-kubernetes-map-type: atomic
- type: object
- podAffinity:
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- podAffinityTerm:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- weight:
- format: int32
- type: integer
- required:
- - podAffinityTerm
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- podAntiAffinity:
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- podAffinityTerm:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- weight:
- format: int32
- type: integer
- required:
- - podAffinityTerm
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- type: object
- extraAnnotations:
- additionalProperties:
- type: string
- type: object
- extraLabels:
- additionalProperties:
- type: string
- type: object
- gracefulShutdown:
- properties:
- enabled:
- type: boolean
- sleepTimeSeconds:
- type: integer
- type: object
- imagePullSecrets:
- items:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- type: array
- livenessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- nodeSelector:
- additionalProperties:
- type: string
- type: object
- readinessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- securityContext:
- properties:
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- fsGroup:
- format: int64
- type: integer
- fsGroupChangePolicy:
- type: string
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxChangePolicy:
- type: string
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- supplementalGroups:
- items:
- format: int64
- type: integer
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroupsPolicy:
- type: string
- sysctls:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- terminationGracePeriodSeconds:
- type: integer
- tolerations:
- items:
- properties:
- effect:
- type: string
- key:
- type: string
- operator:
- type: string
- tolerationSeconds:
- format: int64
- type: integer
- value:
- type: string
- type: object
- type: array
- type: object
- sdsContainer:
- properties:
- bootstrap:
- properties:
- logLevel:
- type: string
- type: object
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- service:
- properties:
- clusterIP:
- type: string
- extraAnnotations:
- additionalProperties:
- type: string
- type: object
- extraLabels:
- additionalProperties:
- type: string
- type: object
- ports:
- items:
- properties:
- nodePort:
- type: integer
- port:
- type: integer
- required:
- - port
- type: object
- type: array
- type:
- enum:
- - ClusterIP
- - NodePort
- - LoadBalancer
- - ExternalName
- type: string
- type: object
- serviceAccount:
- properties:
- extraAnnotations:
- additionalProperties:
- type: string
- type: object
- extraLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- stats:
- properties:
- enableStatsRoute:
- type: boolean
- enabled:
- type: boolean
- routePrefixRewrite:
- type: string
- statsRoutePrefixRewrite:
- type: string
- type: object
- type: object
- selfManaged:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- x-kubernetes-validations:
- - message: exactly one of 'kube' or 'selfManaged' must be set
- rule: 'has(self.kube) ? !has(self.selfManaged) : has(self.selfManaged)'
- status:
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_httplistenerpolicies.yaml b/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_httplistenerpolicies.yaml
deleted file mode 100644
index aacba465..00000000
--- a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_httplistenerpolicies.yaml
+++ /dev/null
@@ -1,534 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- gateway.networking.k8s.io/policy: Direct
- name: httplistenerpolicies.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: HTTPListenerPolicy
- listKind: HTTPListenerPolicyList
- plural: httplistenerpolicies
- singular: httplistenerpolicy
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- accessLog:
- items:
- properties:
- fileSink:
- properties:
- jsonFormat:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- path:
- type: string
- stringFormat:
- type: string
- required:
- - path
- type: object
- x-kubernetes-validations:
- - message: only one of 'StringFormat' or 'JsonFormat' may be
- set
- rule: (has(self.stringFormat) && !has(self.jsonFormat)) ||
- (!has(self.stringFormat) && has(self.jsonFormat))
- filter:
- allOf:
- - maxProperties: 1
- minProperties: 1
- - maxProperties: 1
- minProperties: 1
- properties:
- andFilter:
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- celFilter:
- properties:
- match:
- type: string
- required:
- - match
- type: object
- durationFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- grpcStatusFilter:
- properties:
- exclude:
- type: boolean
- statuses:
- items:
- enum:
- - OK
- - CANCELED
- - UNKNOWN
- - INVALID_ARGUMENT
- - DEADLINE_EXCEEDED
- - NOT_FOUND
- - ALREADY_EXISTS
- - PERMISSION_DENIED
- - RESOURCE_EXHAUSTED
- - FAILED_PRECONDITION
- - ABORTED
- - OUT_OF_RANGE
- - UNIMPLEMENTED
- - INTERNAL
- - UNAVAILABLE
- - DATA_LOSS
- - UNAUTHENTICATED
- type: string
- minItems: 1
- type: array
- type: object
- headerFilter:
- properties:
- header:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- required:
- - header
- type: object
- notHealthCheckFilter:
- type: boolean
- responseFlagFilter:
- properties:
- flags:
- items:
- type: string
- minItems: 1
- type: array
- required:
- - flags
- type: object
- statusCodeFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- traceableFilter:
- type: boolean
- type: object
- minItems: 2
- type: array
- celFilter:
- properties:
- match:
- type: string
- required:
- - match
- type: object
- durationFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- grpcStatusFilter:
- properties:
- exclude:
- type: boolean
- statuses:
- items:
- enum:
- - OK
- - CANCELED
- - UNKNOWN
- - INVALID_ARGUMENT
- - DEADLINE_EXCEEDED
- - NOT_FOUND
- - ALREADY_EXISTS
- - PERMISSION_DENIED
- - RESOURCE_EXHAUSTED
- - FAILED_PRECONDITION
- - ABORTED
- - OUT_OF_RANGE
- - UNIMPLEMENTED
- - INTERNAL
- - UNAVAILABLE
- - DATA_LOSS
- - UNAUTHENTICATED
- type: string
- minItems: 1
- type: array
- type: object
- headerFilter:
- properties:
- header:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- required:
- - header
- type: object
- notHealthCheckFilter:
- type: boolean
- orFilter:
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- celFilter:
- properties:
- match:
- type: string
- required:
- - match
- type: object
- durationFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- grpcStatusFilter:
- properties:
- exclude:
- type: boolean
- statuses:
- items:
- enum:
- - OK
- - CANCELED
- - UNKNOWN
- - INVALID_ARGUMENT
- - DEADLINE_EXCEEDED
- - NOT_FOUND
- - ALREADY_EXISTS
- - PERMISSION_DENIED
- - RESOURCE_EXHAUSTED
- - FAILED_PRECONDITION
- - ABORTED
- - OUT_OF_RANGE
- - UNIMPLEMENTED
- - INTERNAL
- - UNAVAILABLE
- - DATA_LOSS
- - UNAUTHENTICATED
- type: string
- minItems: 1
- type: array
- type: object
- headerFilter:
- properties:
- header:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- required:
- - header
- type: object
- notHealthCheckFilter:
- type: boolean
- responseFlagFilter:
- properties:
- flags:
- items:
- type: string
- minItems: 1
- type: array
- required:
- - flags
- type: object
- statusCodeFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- traceableFilter:
- type: boolean
- type: object
- minItems: 2
- type: array
- responseFlagFilter:
- properties:
- flags:
- items:
- type: string
- minItems: 1
- type: array
- required:
- - flags
- type: object
- statusCodeFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- traceableFilter:
- type: boolean
- type: object
- grpcService:
- properties:
- additionalRequestHeadersToLog:
- items:
- type: string
- type: array
- additionalResponseHeadersToLog:
- items:
- type: string
- type: array
- additionalResponseTrailersToLog:
- items:
- type: string
- type: array
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- logName:
- type: string
- required:
- - backendRef
- - logName
- type: object
- type: object
- type: array
- targetRefs:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 16
- minItems: 1
- type: array
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_trafficpolicies.yaml b/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_trafficpolicies.yaml
deleted file mode 100644
index f41c5ddb..00000000
--- a/sources/kgateway-crds/v2.0.4/templates/gateway.kgateway.dev_trafficpolicies.yaml
+++ /dev/null
@@ -1,572 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- gateway.networking.k8s.io/policy: Direct
- name: trafficpolicies.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: TrafficPolicy
- listKind: TrafficPolicyList
- plural: trafficpolicies
- singular: trafficpolicy
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- ai:
- properties:
- defaults:
- items:
- properties:
- field:
- minLength: 1
- type: string
- override:
- default: false
- type: boolean
- value:
- minLength: 1
- type: string
- required:
- - field
- - value
- type: object
- type: array
- promptEnrichment:
- properties:
- append:
- items:
- properties:
- content:
- type: string
- role:
- type: string
- required:
- - content
- - role
- type: object
- type: array
- prepend:
- items:
- properties:
- content:
- type: string
- role:
- type: string
- required:
- - content
- - role
- type: object
- type: array
- type: object
- promptGuard:
- properties:
- request:
- properties:
- customResponse:
- properties:
- message:
- default: The request was rejected due to inappropriate
- content
- type: string
- statusCode:
- default: 403
- format: int32
- maximum: 599
- minimum: 200
- type: integer
- type: object
- moderation:
- properties:
- openAIModeration:
- properties:
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- model:
- type: string
- required:
- - authToken
- type: object
- type: object
- regex:
- properties:
- action:
- default: MASK
- type: string
- builtins:
- items:
- enum:
- - SSN
- - CREDIT_CARD
- - PHONE_NUMBER
- - EMAIL
- type: string
- type: array
- matches:
- items:
- properties:
- name:
- type: string
- pattern:
- type: string
- type: object
- type: array
- type: object
- webhook:
- properties:
- forwardHeaders:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- host:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- required:
- - host
- type: object
- type: object
- response:
- properties:
- regex:
- properties:
- action:
- default: MASK
- type: string
- builtins:
- items:
- enum:
- - SSN
- - CREDIT_CARD
- - PHONE_NUMBER
- - EMAIL
- type: string
- type: array
- matches:
- items:
- properties:
- name:
- type: string
- pattern:
- type: string
- type: object
- type: array
- type: object
- webhook:
- properties:
- forwardHeaders:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- host:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- required:
- - host
- type: object
- type: object
- type: object
- routeType:
- default: CHAT
- enum:
- - CHAT
- - CHAT_STREAMING
- type: string
- type: object
- extAuth:
- properties:
- contextExtensions:
- additionalProperties:
- type: string
- type: object
- enablement:
- enum:
- - DisableAll
- type: string
- extensionRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- withRequestBody:
- properties:
- allowPartialMessage:
- type: boolean
- maxRequestBytes:
- format: int32
- minimum: 1
- type: integer
- packAsBytes:
- type: boolean
- required:
- - maxRequestBytes
- type: object
- type: object
- x-kubernetes-validations:
- - message: only one of 'extensionRef' or 'enablement' may be set
- rule: (has(self.extensionRef) && !has(self.enablement)) || (!has(self.extensionRef)
- && has(self.enablement))
- extProc:
- properties:
- extensionRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- processingMode:
- properties:
- requestBodyMode:
- default: NONE
- enum:
- - NONE
- - STREAMED
- - BUFFERED
- - BUFFERED_PARTIAL
- - FULL_DUPLEX_STREAMED
- type: string
- requestHeaderMode:
- default: SEND
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- requestTrailerMode:
- default: SKIP
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- responseBodyMode:
- default: NONE
- enum:
- - NONE
- - STREAMED
- - BUFFERED
- - BUFFERED_PARTIAL
- - FULL_DUPLEX_STREAMED
- type: string
- responseHeaderMode:
- default: SEND
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- responseTrailerMode:
- default: SKIP
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- type: object
- required:
- - extensionRef
- type: object
- rateLimit:
- properties:
- local:
- properties:
- tokenBucket:
- properties:
- fillInterval:
- format: duration
- type: string
- maxTokens:
- format: int32
- minimum: 1
- type: integer
- tokensPerFill:
- default: 1
- format: int32
- type: integer
- required:
- - fillInterval
- - maxTokens
- type: object
- type: object
- required:
- - local
- type: object
- targetRefs:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 16
- minItems: 1
- type: array
- transformation:
- properties:
- request:
- properties:
- add:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- body:
- properties:
- parseAs:
- default: AsString
- enum:
- - AsString
- - AsJson
- type: string
- value:
- type: string
- required:
- - parseAs
- type: object
- remove:
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- response:
- properties:
- add:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- body:
- properties:
- parseAs:
- default: AsString
- enum:
- - AsString
- - AsJson
- type: string
- value:
- type: string
- required:
- - parseAs
- type: object
- remove:
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- type: object
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.0.4/values.yaml b/sources/kgateway-crds/v2.0.4/values.yaml
deleted file mode 100644
index 67d2386d..00000000
--- a/sources/kgateway-crds/v2.0.4/values.yaml
+++ /dev/null
@@ -1 +0,0 @@
-# Default values for kgateway-crds.
diff --git a/sources/kgateway-crds/v2.1.0-main/.helmignore b/sources/kgateway-crds/v2.1.0-main/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/sources/kgateway-crds/v2.1.0-main/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/sources/kgateway-crds/v2.1.0-main/Chart.yaml b/sources/kgateway-crds/v2.1.0-main/Chart.yaml
deleted file mode 100644
index e279c2af..00000000
--- a/sources/kgateway-crds/v2.1.0-main/Chart.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v2
-appVersion: 1.16.0
-description: A Helm chart for the kgateway project CRDs
-icon: https://raw.githubusercontent.com/kgateway-dev/kgateway.dev/main/static/favicon.svg
-name: kgateway-crds
-type: application
-version: v2.1.0-main
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/NOTES.txt b/sources/kgateway-crds/v2.1.0-main/templates/NOTES.txt
deleted file mode 100644
index c63682f6..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/NOTES.txt
+++ /dev/null
@@ -1,24 +0,0 @@
-Thank you for installing the {{ .Chart.Name }} chart.
-
-This chart installs the Custom Resource Definitions (CRDs) required by kgateway.
-
-To verify that the CRDs have been installed:
-
- kubectl get crds | grep 'kgateway'
-
-To uninstall the CRDs:
-
- helm uninstall {{ .Release.Name }} --namespace {{ .Release.Namespace }}
-
-Note: The above command does not remove the Custom Resource Definitions (CRDs) installed by this chart.
-You may need to manually delete the CRDs if they are no longer needed. To do so, run:
-
- kubectl delete crd
-
-Replace with the name of the CRD(s) you wish to delete. For example:
-
- kubectl delete crd gatewayparameters.gateway.kgateway.dev
-
-To learn how to access and use kgateway, please visit the official documentation:
-
- https://kgateway.dev/docs/about/custom-resources/#kgateway
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_backendconfigpolicies.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_backendconfigpolicies.yaml
deleted file mode 100644
index 5415e444..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_backendconfigpolicies.yaml
+++ /dev/null
@@ -1,623 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- gateway.networking.k8s.io/policy: Direct
- name: backendconfigpolicies.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: BackendConfigPolicy
- listKind: BackendConfigPolicyList
- plural: backendconfigpolicies
- singular: backendconfigpolicy
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- commonHttpProtocolOptions:
- properties:
- idleTimeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- maxHeadersCount:
- type: integer
- maxRequestsPerConnection:
- type: integer
- maxStreamDuration:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- type: object
- connectTimeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- healthCheck:
- properties:
- grpc:
- properties:
- authority:
- type: string
- serviceName:
- type: string
- type: object
- healthyThreshold:
- format: int32
- type: integer
- http:
- properties:
- host:
- type: string
- method:
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - OPTIONS
- - TRACE
- - PATCH
- type: string
- path:
- type: string
- required:
- - path
- type: object
- interval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- timeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- unhealthyThreshold:
- format: int32
- type: integer
- required:
- - healthyThreshold
- - interval
- - timeout
- - unhealthyThreshold
- type: object
- x-kubernetes-validations:
- - message: exactly one of http or grpc must be set
- rule: has(self.http) != has(self.grpc)
- http1ProtocolOptions:
- properties:
- enableTrailers:
- type: boolean
- overrideStreamErrorOnInvalidHttpMessage:
- type: boolean
- preserveHttp1HeaderCase:
- type: boolean
- type: object
- http2ProtocolOptions:
- properties:
- initialConnectionWindowSize:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- x-kubernetes-validations:
- - message: InitialConnectionWindowSize must be between 65535 and
- 2147483647 bytes (inclusive)
- rule: (type(self) == int && int(self) >= 65535 && int(self)
- <= 2147483647) || (type(self) == string && quantity(self).isGreaterThan(quantity('65534'))
- && quantity(self).isLessThan(quantity('2147483648')))
- initialStreamWindowSize:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- x-kubernetes-validations:
- - message: InitialStreamWindowSize must be between 65535 and 2147483647
- bytes (inclusive)
- rule: (type(self) == int && int(self) >= 65535 && int(self)
- <= 2147483647) || (type(self) == string && quantity(self).isGreaterThan(quantity('65534'))
- && quantity(self).isLessThan(quantity('2147483648')))
- maxConcurrentStreams:
- type: integer
- overrideStreamErrorOnInvalidHttpMessage:
- type: boolean
- type: object
- loadBalancer:
- properties:
- closeConnectionsOnHostSetChange:
- type: boolean
- healthyPanicThreshold:
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- leastRequest:
- properties:
- choiceCount:
- default: 2
- format: int32
- type: integer
- slowStart:
- properties:
- aggression:
- type: string
- x-kubernetes-validations:
- - message: Aggression, if specified, must be a string
- representing a number greater than 0.0
- rule: (self.matches('^-?(?:[0-9]+(?:\\.[0-9]*)?|\\.[0-9]+)$')
- && double(self) > 0.0)
- minWeightPercent:
- format: int32
- type: integer
- window:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- type: object
- type: object
- localityType:
- enum:
- - WeightedLb
- type: string
- maglev:
- properties:
- hashPolicies:
- items:
- properties:
- cookie:
- properties:
- httpOnly:
- type: boolean
- name:
- minLength: 1
- type: string
- path:
- type: string
- sameSite:
- enum:
- - Strict
- - Lax
- - None
- type: string
- secure:
- type: boolean
- ttl:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - name
- type: object
- header:
- properties:
- name:
- minLength: 1
- type: string
- required:
- - name
- type: object
- sourceIP:
- type: object
- terminal:
- type: boolean
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [header cookie sourceIP]
- must be set
- rule: '[has(self.header),has(self.cookie),has(self.sourceIP)].filter(x,x==true).size()
- == 1'
- maxItems: 16
- minItems: 1
- type: array
- useHostnameForHashing:
- type: boolean
- type: object
- random:
- type: object
- ringHash:
- properties:
- hashPolicies:
- items:
- properties:
- cookie:
- properties:
- httpOnly:
- type: boolean
- name:
- minLength: 1
- type: string
- path:
- type: string
- sameSite:
- enum:
- - Strict
- - Lax
- - None
- type: string
- secure:
- type: boolean
- ttl:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - name
- type: object
- header:
- properties:
- name:
- minLength: 1
- type: string
- required:
- - name
- type: object
- sourceIP:
- type: object
- terminal:
- type: boolean
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [header cookie sourceIP]
- must be set
- rule: '[has(self.header),has(self.cookie),has(self.sourceIP)].filter(x,x==true).size()
- == 1'
- maxItems: 16
- minItems: 1
- type: array
- maximumRingSize:
- format: int64
- type: integer
- minimumRingSize:
- format: int64
- type: integer
- useHostnameForHashing:
- type: boolean
- type: object
- roundRobin:
- properties:
- slowStart:
- properties:
- aggression:
- type: string
- x-kubernetes-validations:
- - message: Aggression, if specified, must be a string
- representing a number greater than 0.0
- rule: (self.matches('^-?(?:[0-9]+(?:\\.[0-9]*)?|\\.[0-9]+)$')
- && double(self) > 0.0)
- minWeightPercent:
- format: int32
- type: integer
- window:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- type: object
- type: object
- updateMergeWindow:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [leastRequest roundRobin ringHash
- maglev random] must be set
- rule: '[has(self.leastRequest),has(self.roundRobin),has(self.ringHash),has(self.maglev),has(self.random)].filter(x,x==true).size()
- == 1'
- outlierDetection:
- properties:
- baseEjectionTime:
- default: 30s
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- consecutive5xx:
- default: 5
- format: int32
- type: integer
- interval:
- default: 10s
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- maxEjectionPercent:
- default: 10
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- type: object
- perConnectionBufferLimitBytes:
- type: integer
- targetRefs:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 16
- minItems: 1
- type: array
- x-kubernetes-validations:
- - message: TargetRefs must reference either a Kubernetes Service or
- a Backend API
- rule: self.all(r, (r.group == '' && r.kind == 'Service') || (r.group
- == 'gateway.kgateway.dev' && r.kind == 'Backend'))
- targetSelectors:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- matchLabels:
- additionalProperties:
- type: string
- type: object
- required:
- - group
- - kind
- - matchLabels
- type: object
- type: array
- x-kubernetes-validations:
- - message: TargetSelectors must reference either a Kubernetes Service
- or a Backend API
- rule: self.all(r, (r.group == '' && r.kind == 'Service') || (r.group
- == 'gateway.kgateway.dev' && r.kind == 'Backend'))
- tcpKeepalive:
- properties:
- keepAliveInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- - message: keepAliveInterval must be at least 1 second
- rule: duration(self) >= duration('1s')
- keepAliveProbes:
- type: integer
- keepAliveTime:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- - message: keepAliveTime must be at least 1 second
- rule: duration(self) >= duration('1s')
- type: object
- tls:
- properties:
- allowRenegotiation:
- type: boolean
- alpnProtocols:
- items:
- type: string
- type: array
- insecureSkipVerify:
- type: boolean
- parameters:
- properties:
- cipherSuites:
- items:
- type: string
- type: array
- ecdhCurves:
- items:
- type: string
- type: array
- tlsMaxVersion:
- enum:
- - AUTO
- - "1.0"
- - "1.1"
- - "1.2"
- - "1.3"
- type: string
- tlsMinVersion:
- enum:
- - AUTO
- - "1.0"
- - "1.1"
- - "1.2"
- - "1.3"
- type: string
- type: object
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- simpleTLS:
- type: boolean
- sni:
- minLength: 1
- type: string
- tlsFiles:
- properties:
- rootCA:
- minLength: 1
- type: string
- tlsCertificate:
- minLength: 1
- type: string
- tlsKey:
- minLength: 1
- type: string
- type: object
- x-kubernetes-validations:
- - message: At least one of tlsCertificate, tlsKey, or rootCA must
- be set in TLSFiles
- rule: has(self.tlsCertificate) || has(self.tlsKey) || has(self.rootCA)
- verifySubjectAltName:
- items:
- type: string
- type: array
- wellKnownCACertificates:
- enum:
- - System
- type: string
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [secretRef tlsFiles insecureSkipVerify
- wellKnownCACertificates] must be set
- rule: '[has(self.secretRef),has(self.tlsFiles),has(self.insecureSkipVerify),has(self.wellKnownCACertificates)].filter(x,x==true).size()
- == 1'
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [http1ProtocolOptions http2ProtocolOptions]
- may be set
- rule: '[has(self.http1ProtocolOptions),has(self.http2ProtocolOptions)].filter(x,x==true).size()
- <= 1'
- status:
- properties:
- ancestors:
- items:
- properties:
- ancestorRef:
- properties:
- group:
- default: gateway.networking.k8s.io
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- controllerName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- required:
- - ancestorRef
- - controllerName
- type: object
- maxItems: 16
- type: array
- required:
- - ancestors
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_backends.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_backends.yaml
deleted file mode 100644
index 260a330a..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_backends.yaml
+++ /dev/null
@@ -1,924 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: backends.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: Backend
- listKind: BackendList
- plural: backends
- singular: backend
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Which backend type?
- jsonPath: .spec.type
- name: Type
- type: string
- - description: Backend configuration acceptance status
- jsonPath: .status.conditions[?(@.type=='Accepted')].status
- name: Accepted
- type: string
- - description: The age of the backend.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- ai:
- maxProperties: 1
- minProperties: 1
- properties:
- llm:
- properties:
- authHeaderOverride:
- properties:
- headerName:
- type: string
- prefix:
- type: string
- type: object
- hostOverride:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- pathOverride:
- minProperties: 1
- properties:
- fullPath:
- type: string
- required:
- - fullPath
- type: object
- provider:
- maxProperties: 1
- minProperties: 1
- properties:
- anthropic:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [inline secretRef]
- may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - authToken
- type: object
- azureopenai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [inline secretRef]
- may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- deploymentName:
- minLength: 1
- type: string
- endpoint:
- minLength: 1
- type: string
- required:
- - apiVersion
- - authToken
- - deploymentName
- - endpoint
- type: object
- bedrock:
- properties:
- auth:
- properties:
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- type:
- enum:
- - Secret
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: secretRef must be nil if the type is not
- 'Secret'
- rule: '!(has(self.secretRef) && self.type != ''Secret'')'
- - message: secretRef must be specified when type is
- 'Secret'
- rule: '!(!has(self.secretRef) && self.type == ''Secret'')'
- guardrail:
- properties:
- identifier:
- minLength: 1
- type: string
- version:
- minLength: 1
- type: string
- required:
- - identifier
- - version
- type: object
- model:
- minLength: 1
- type: string
- region:
- default: us-east-1
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9-]+$
- type: string
- required:
- - model
- type: object
- gemini:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [inline secretRef]
- may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - apiVersion
- - authToken
- - model
- type: object
- openai:
- properties:
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [inline secretRef]
- may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - authToken
- type: object
- vertexai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [inline secretRef]
- may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- location:
- minLength: 1
- type: string
- model:
- minLength: 1
- type: string
- modelPath:
- type: string
- projectId:
- minLength: 1
- type: string
- publisher:
- enum:
- - GOOGLE
- type: string
- required:
- - apiVersion
- - authToken
- - location
- - model
- - projectId
- - publisher
- type: object
- type: object
- required:
- - provider
- type: object
- multipool:
- properties:
- priorities:
- items:
- properties:
- pool:
- items:
- properties:
- authHeaderOverride:
- properties:
- headerName:
- type: string
- prefix:
- type: string
- type: object
- hostOverride:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- pathOverride:
- minProperties: 1
- properties:
- fullPath:
- type: string
- required:
- - fullPath
- type: object
- provider:
- maxProperties: 1
- minProperties: 1
- properties:
- anthropic:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in
- [inline secretRef] may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - authToken
- type: object
- azureopenai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in
- [inline secretRef] may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- deploymentName:
- minLength: 1
- type: string
- endpoint:
- minLength: 1
- type: string
- required:
- - apiVersion
- - authToken
- - deploymentName
- - endpoint
- type: object
- bedrock:
- properties:
- auth:
- properties:
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- type:
- enum:
- - Secret
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: secretRef must be nil if the
- type is not 'Secret'
- rule: '!(has(self.secretRef) && self.type
- != ''Secret'')'
- - message: secretRef must be specified
- when type is 'Secret'
- rule: '!(!has(self.secretRef) && self.type
- == ''Secret'')'
- guardrail:
- properties:
- identifier:
- minLength: 1
- type: string
- version:
- minLength: 1
- type: string
- required:
- - identifier
- - version
- type: object
- model:
- minLength: 1
- type: string
- region:
- default: us-east-1
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9-]+$
- type: string
- required:
- - model
- type: object
- gemini:
- properties:
- apiVersion:
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in
- [inline secretRef] may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - apiVersion
- - authToken
- - model
- type: object
- openai:
- properties:
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in
- [inline secretRef] may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - authToken
- type: object
- vertexai:
- properties:
- apiVersion:
- minLength: 1
- type: string
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in
- [inline secretRef] may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- location:
- minLength: 1
- type: string
- model:
- minLength: 1
- type: string
- modelPath:
- type: string
- projectId:
- minLength: 1
- type: string
- publisher:
- enum:
- - GOOGLE
- type: string
- required:
- - apiVersion
- - authToken
- - location
- - model
- - projectId
- - publisher
- type: object
- type: object
- required:
- - provider
- type: object
- maxItems: 20
- minItems: 1
- type: array
- type: object
- maxItems: 20
- minItems: 1
- type: array
- required:
- - priorities
- type: object
- type: object
- x-kubernetes-validations:
- - message: There must one and only one LLM or MultiPool can be set
- rule: (has(self.llm) && !has(self.multipool)) || (!has(self.llm)
- && has(self.multipool))
- aws:
- properties:
- accountId:
- maxLength: 12
- minLength: 1
- pattern: ^[0-9]{12}$
- type: string
- auth:
- properties:
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- type:
- enum:
- - Secret
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: secretRef must be nil if the type is not 'Secret'
- rule: '!(has(self.secretRef) && self.type != ''Secret'')'
- - message: secretRef must be specified when type is 'Secret'
- rule: '!(!has(self.secretRef) && self.type == ''Secret'')'
- lambda:
- properties:
- endpointURL:
- maxLength: 2048
- pattern: ^https?://[-a-zA-Z0-9@:%.+~#?&/=]+$
- type: string
- functionName:
- pattern: ^[A-Za-z0-9-_]{1,140}$
- type: string
- invocationMode:
- default: Sync
- enum:
- - Sync
- - Async
- type: string
- payloadTransformMode:
- default: Envoy
- enum:
- - None
- - Envoy
- type: string
- qualifier:
- default: $LATEST
- pattern: ^(\$LATEST|[0-9]+|[A-Za-z0-9-_]{1,128})$
- type: string
- required:
- - functionName
- type: object
- region:
- default: us-east-1
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9-]+$
- type: string
- required:
- - accountId
- - lambda
- type: object
- dynamicForwardProxy:
- properties:
- enableTls:
- type: boolean
- type: object
- mcp:
- properties:
- targets:
- items:
- properties:
- name:
- type: string
- selector:
- properties:
- namespace:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- service:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- x-kubernetes-validations:
- - message: at least one of namespace or service must be
- set
- rule: has(self.__namespace__) || has(self.service)
- static:
- properties:
- host:
- minLength: 1
- type: string
- path:
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- protocol:
- enum:
- - StreamableHTTP
- - SSE
- type: string
- required:
- - host
- - port
- type: object
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [selector static] must
- be set
- rule: '[has(self.selector),has(self.static)].filter(x,x==true).size()
- == 1'
- maxItems: 32
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- required:
- - targets
- type: object
- static:
- properties:
- appProtocol:
- enum:
- - http2
- - grpc
- - grpc-web
- - kubernetes.io/h2c
- - kubernetes.io/ws
- type: string
- hosts:
- items:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- minItems: 1
- type: array
- required:
- - hosts
- type: object
- type:
- enum:
- - AI
- - AWS
- - Static
- - DynamicForwardProxy
- - MCP
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: ai backend must be specified when type is 'AI'
- rule: 'self.type == ''AI'' ? has(self.ai) : true'
- - message: aws backend must be specified when type is 'AWS'
- rule: 'self.type == ''AWS'' ? has(self.aws) : true'
- - message: static backend must be specified when type is 'Static'
- rule: 'self.type == ''Static'' ? has(self.static) : true'
- - message: dynamicForwardProxy backend must be specified when type is
- 'DynamicForwardProxy'
- rule: 'self.type == ''DynamicForwardProxy'' ? has(self.dynamicForwardProxy)
- : true'
- - message: mcp backend must be specified when type is 'MCP'
- rule: 'self.type == ''MCP'' ? has(self.mcp) : true'
- - message: exactly one of the fields in [ai aws static dynamicForwardProxy
- mcp] must be set
- rule: '[has(self.ai),has(self.aws),has(self.static),has(self.dynamicForwardProxy),has(self.mcp)].filter(x,x==true).size()
- == 1'
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_directresponses.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_directresponses.yaml
deleted file mode 100644
index cd995352..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_directresponses.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: directresponses.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: DirectResponse
- listKind: DirectResponseList
- plural: directresponses
- singular: directresponse
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- body:
- maxLength: 4096
- minLength: 1
- type: string
- status:
- format: int32
- maximum: 599
- minimum: 200
- type: integer
- required:
- - status
- type: object
- status:
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_gatewayextensions.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_gatewayextensions.yaml
deleted file mode 100644
index d88ed84f..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_gatewayextensions.yaml
+++ /dev/null
@@ -1,280 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: gatewayextensions.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: GatewayExtension
- listKind: GatewayExtensionList
- plural: gatewayextensions
- singular: gatewayextension
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - description: Which extension type?
- jsonPath: .spec.type
- name: Type
- type: string
- - description: The age of the gatewayextension.
- jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- extAuth:
- properties:
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- required:
- - backendRef
- type: object
- required:
- - grpcService
- type: object
- extProc:
- properties:
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- required:
- - backendRef
- type: object
- required:
- - grpcService
- type: object
- rateLimit:
- properties:
- domain:
- type: string
- failOpen:
- default: true
- type: boolean
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- required:
- - backendRef
- type: object
- timeout:
- default: 100ms
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - domain
- - grpcService
- type: object
- type:
- enum:
- - ExtAuth
- - ExtProc
- - RateLimit
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: ExtAuth must be set when type is ExtAuth
- rule: self.type != 'ExtAuth' || has(self.extAuth)
- - message: ExtProc must be set when type is ExtProc
- rule: self.type != 'ExtProc' || has(self.extProc)
- - message: RateLimit must be set when type is RateLimit
- rule: self.type != 'RateLimit' || has(self.rateLimit)
- - message: ExtAuth must not be set when type is not ExtAuth
- rule: self.type == 'ExtAuth' || !has(self.extAuth)
- - message: ExtProc must not be set when type is not ExtProc
- rule: self.type == 'ExtProc' || !has(self.extProc)
- - message: RateLimit must not be set when type is not RateLimit
- rule: self.type == 'RateLimit' || !has(self.rateLimit)
- status:
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_gatewayparameters.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_gatewayparameters.yaml
deleted file mode 100644
index bae3d6f9..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_gatewayparameters.yaml
+++ /dev/null
@@ -1,2502 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- name: gatewayparameters.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: GatewayParameters
- listKind: GatewayParametersList
- plural: gatewayparameters
- singular: gatewayparameters
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- kube:
- properties:
- agentGateway:
- properties:
- customConfigMapName:
- type: string
- enabled:
- type: boolean
- env:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- valueFrom:
- properties:
- configMapKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- properties:
- apiVersion:
- type: string
- fieldPath:
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- properties:
- containerName:
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- logLevel:
- type: string
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- aiExtension:
- properties:
- enabled:
- type: boolean
- env:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- valueFrom:
- properties:
- configMapKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- properties:
- apiVersion:
- type: string
- fieldPath:
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- properties:
- containerName:
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- ports:
- items:
- properties:
- containerPort:
- format: int32
- type: integer
- hostIP:
- type: string
- hostPort:
- format: int32
- type: integer
- name:
- type: string
- protocol:
- default: TCP
- type: string
- required:
- - containerPort
- type: object
- type: array
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- stats:
- properties:
- customLabels:
- items:
- properties:
- keyDelimiter:
- type: string
- metadataKey:
- minLength: 1
- type: string
- metadataNamespace:
- enum:
- - envoy.filters.http.jwt_authn
- - io.solo.transformation
- type: string
- name:
- minLength: 1
- type: string
- required:
- - metadataKey
- - name
- type: object
- type: array
- type: object
- tracing:
- properties:
- endpoint:
- maxLength: 253
- minLength: 1
- pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
- type: string
- protocol:
- enum:
- - grpc
- - http/protobuf
- - http/json
- type: string
- sampler:
- properties:
- arg:
- pattern: ^0(\.\d+)?|1(\.0+)?$
- type: string
- type:
- enum:
- - alwaysOn
- - alwaysOff
- - traceidratio
- - parentbasedAlwaysOn
- - parentbasedAlwaysOff
- - parentbasedTraceidratio
- type: string
- type: object
- timeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - endpoint
- type: object
- type: object
- deployment:
- properties:
- omitReplicas:
- type: boolean
- replicas:
- format: int32
- type: integer
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [replicas omitReplicas]
- may be set
- rule: '[has(self.replicas),has(self.omitReplicas)].filter(x,x==true).size()
- <= 1'
- envoyContainer:
- properties:
- bootstrap:
- properties:
- componentLogLevels:
- additionalProperties:
- type: string
- type: object
- logLevel:
- type: string
- type: object
- env:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- valueFrom:
- properties:
- configMapKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- properties:
- apiVersion:
- type: string
- fieldPath:
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- properties:
- containerName:
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- floatingUserId:
- type: boolean
- istio:
- properties:
- customSidecars:
- items:
- properties:
- args:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- env:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- valueFrom:
- properties:
- configMapKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- properties:
- apiVersion:
- type: string
- fieldPath:
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- properties:
- containerName:
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- properties:
- key:
- type: string
- name:
- default: ""
- type: string
- optional:
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- envFrom:
- items:
- properties:
- configMapRef:
- properties:
- name:
- default: ""
- type: string
- optional:
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- prefix:
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- optional:
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: array
- x-kubernetes-list-type: atomic
- image:
- type: string
- imagePullPolicy:
- type: string
- lifecycle:
- properties:
- postStart:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- sleep:
- properties:
- seconds:
- format: int64
- type: integer
- required:
- - seconds
- type: object
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- type: object
- preStop:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- sleep:
- properties:
- seconds:
- format: int64
- type: integer
- required:
- - seconds
- type: object
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- type: object
- stopSignal:
- type: string
- type: object
- livenessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- name:
- type: string
- ports:
- items:
- properties:
- containerPort:
- format: int32
- type: integer
- hostIP:
- type: string
- hostPort:
- format: int32
- type: integer
- name:
- type: string
- protocol:
- default: TCP
- type: string
- required:
- - containerPort
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - containerPort
- - protocol
- x-kubernetes-list-type: map
- readinessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- resizePolicy:
- items:
- properties:
- resourceName:
- type: string
- restartPolicy:
- type: string
- required:
- - resourceName
- - restartPolicy
- type: object
- type: array
- x-kubernetes-list-type: atomic
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- restartPolicy:
- type: string
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- startupProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- stdin:
- type: boolean
- stdinOnce:
- type: boolean
- terminationMessagePath:
- type: string
- terminationMessagePolicy:
- type: string
- tty:
- type: boolean
- volumeDevices:
- items:
- properties:
- devicePath:
- type: string
- name:
- type: string
- required:
- - devicePath
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - devicePath
- x-kubernetes-list-type: map
- volumeMounts:
- items:
- properties:
- mountPath:
- type: string
- mountPropagation:
- type: string
- name:
- type: string
- readOnly:
- type: boolean
- recursiveReadOnly:
- type: string
- subPath:
- type: string
- subPathExpr:
- type: string
- required:
- - mountPath
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - mountPath
- x-kubernetes-list-type: map
- workingDir:
- type: string
- required:
- - name
- type: object
- type: array
- istioProxyContainer:
- properties:
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- istioDiscoveryAddress:
- type: string
- istioMetaClusterId:
- type: string
- istioMetaMeshId:
- type: string
- logLevel:
- type: string
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- type: object
- podTemplate:
- properties:
- affinity:
- properties:
- nodeAffinity:
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- preference:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- x-kubernetes-map-type: atomic
- weight:
- format: int32
- type: integer
- required:
- - preference
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- properties:
- nodeSelectorTerms:
- items:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchFields:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- x-kubernetes-map-type: atomic
- type: array
- x-kubernetes-list-type: atomic
- required:
- - nodeSelectorTerms
- type: object
- x-kubernetes-map-type: atomic
- type: object
- podAffinity:
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- podAffinityTerm:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- weight:
- format: int32
- type: integer
- required:
- - podAffinityTerm
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- podAntiAffinity:
- properties:
- preferredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- podAffinityTerm:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- weight:
- format: int32
- type: integer
- required:
- - podAffinityTerm
- - weight
- type: object
- type: array
- x-kubernetes-list-type: atomic
- requiredDuringSchedulingIgnoredDuringExecution:
- items:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- mismatchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- namespaceSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- topologyKey:
- type: string
- required:
- - topologyKey
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type: object
- type: object
- extraAnnotations:
- additionalProperties:
- type: string
- type: object
- extraLabels:
- additionalProperties:
- type: string
- type: object
- gracefulShutdown:
- properties:
- enabled:
- type: boolean
- sleepTimeSeconds:
- type: integer
- type: object
- imagePullSecrets:
- items:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- type: array
- livenessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- nodeSelector:
- additionalProperties:
- type: string
- type: object
- readinessProbe:
- properties:
- exec:
- properties:
- command:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- failureThreshold:
- format: int32
- type: integer
- grpc:
- properties:
- port:
- format: int32
- type: integer
- service:
- default: ""
- type: string
- required:
- - port
- type: object
- httpGet:
- properties:
- host:
- type: string
- httpHeaders:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- path:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- scheme:
- type: string
- required:
- - port
- type: object
- initialDelaySeconds:
- format: int32
- type: integer
- periodSeconds:
- format: int32
- type: integer
- successThreshold:
- format: int32
- type: integer
- tcpSocket:
- properties:
- host:
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- x-kubernetes-int-or-string: true
- required:
- - port
- type: object
- terminationGracePeriodSeconds:
- format: int64
- type: integer
- timeoutSeconds:
- format: int32
- type: integer
- type: object
- securityContext:
- properties:
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- fsGroup:
- format: int64
- type: integer
- fsGroupChangePolicy:
- type: string
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxChangePolicy:
- type: string
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- supplementalGroups:
- items:
- format: int64
- type: integer
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroupsPolicy:
- type: string
- sysctls:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- - value
- type: object
- type: array
- x-kubernetes-list-type: atomic
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- terminationGracePeriodSeconds:
- type: integer
- tolerations:
- items:
- properties:
- effect:
- type: string
- key:
- type: string
- operator:
- type: string
- tolerationSeconds:
- format: int64
- type: integer
- value:
- type: string
- type: object
- type: array
- topologySpreadConstraints:
- items:
- properties:
- labelSelector:
- properties:
- matchExpressions:
- items:
- properties:
- key:
- type: string
- operator:
- type: string
- values:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- x-kubernetes-map-type: atomic
- matchLabelKeys:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- maxSkew:
- format: int32
- type: integer
- minDomains:
- format: int32
- type: integer
- nodeAffinityPolicy:
- type: string
- nodeTaintsPolicy:
- type: string
- topologyKey:
- type: string
- whenUnsatisfiable:
- type: string
- required:
- - maxSkew
- - topologyKey
- - whenUnsatisfiable
- type: object
- type: array
- type: object
- sdsContainer:
- properties:
- bootstrap:
- properties:
- logLevel:
- type: string
- type: object
- image:
- properties:
- digest:
- type: string
- pullPolicy:
- type: string
- registry:
- type: string
- repository:
- type: string
- tag:
- type: string
- type: object
- resources:
- properties:
- claims:
- items:
- properties:
- name:
- type: string
- request:
- type: string
- required:
- - name
- type: object
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- limits:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- requests:
- additionalProperties:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- type: object
- type: object
- securityContext:
- properties:
- allowPrivilegeEscalation:
- type: boolean
- appArmorProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- capabilities:
- properties:
- add:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- drop:
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- type: object
- privileged:
- type: boolean
- procMount:
- type: string
- readOnlyRootFilesystem:
- type: boolean
- runAsGroup:
- format: int64
- type: integer
- runAsNonRoot:
- type: boolean
- runAsUser:
- format: int64
- type: integer
- seLinuxOptions:
- properties:
- level:
- type: string
- role:
- type: string
- type:
- type: string
- user:
- type: string
- type: object
- seccompProfile:
- properties:
- localhostProfile:
- type: string
- type:
- type: string
- required:
- - type
- type: object
- windowsOptions:
- properties:
- gmsaCredentialSpec:
- type: string
- gmsaCredentialSpecName:
- type: string
- hostProcess:
- type: boolean
- runAsUserName:
- type: string
- type: object
- type: object
- type: object
- service:
- properties:
- clusterIP:
- type: string
- externalTrafficPolicy:
- type: string
- extraAnnotations:
- additionalProperties:
- type: string
- type: object
- extraLabels:
- additionalProperties:
- type: string
- type: object
- ports:
- items:
- properties:
- nodePort:
- type: integer
- port:
- type: integer
- required:
- - port
- type: object
- type: array
- type:
- enum:
- - ClusterIP
- - NodePort
- - LoadBalancer
- - ExternalName
- type: string
- type: object
- serviceAccount:
- properties:
- extraAnnotations:
- additionalProperties:
- type: string
- type: object
- extraLabels:
- additionalProperties:
- type: string
- type: object
- type: object
- stats:
- properties:
- enableStatsRoute:
- type: boolean
- enabled:
- type: boolean
- routePrefixRewrite:
- type: string
- statsRoutePrefixRewrite:
- type: string
- type: object
- type: object
- selfManaged:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [kube selfManaged] must be set
- rule: '[has(self.kube),has(self.selfManaged)].filter(x,x==true).size()
- == 1'
- status:
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_httplistenerpolicies.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_httplistenerpolicies.yaml
deleted file mode 100644
index 454c4e5b..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_httplistenerpolicies.yaml
+++ /dev/null
@@ -1,1076 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- gateway.networking.k8s.io/policy: Direct
- name: httplistenerpolicies.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: HTTPListenerPolicy
- listKind: HTTPListenerPolicyList
- plural: httplistenerpolicies
- singular: httplistenerpolicy
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- acceptHttp10:
- type: boolean
- accessLog:
- items:
- properties:
- fileSink:
- properties:
- jsonFormat:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- path:
- type: string
- stringFormat:
- type: string
- required:
- - path
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [stringFormat jsonFormat]
- must be set
- rule: '[has(self.stringFormat),has(self.jsonFormat)].filter(x,x==true).size()
- == 1'
- filter:
- allOf:
- - maxProperties: 1
- minProperties: 1
- - maxProperties: 1
- minProperties: 1
- properties:
- andFilter:
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- celFilter:
- properties:
- match:
- type: string
- required:
- - match
- type: object
- durationFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- grpcStatusFilter:
- properties:
- exclude:
- type: boolean
- statuses:
- items:
- enum:
- - OK
- - CANCELED
- - UNKNOWN
- - INVALID_ARGUMENT
- - DEADLINE_EXCEEDED
- - NOT_FOUND
- - ALREADY_EXISTS
- - PERMISSION_DENIED
- - RESOURCE_EXHAUSTED
- - FAILED_PRECONDITION
- - ABORTED
- - OUT_OF_RANGE
- - UNIMPLEMENTED
- - INTERNAL
- - UNAVAILABLE
- - DATA_LOSS
- - UNAUTHENTICATED
- type: string
- minItems: 1
- type: array
- type: object
- headerFilter:
- properties:
- header:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- required:
- - header
- type: object
- notHealthCheckFilter:
- type: boolean
- responseFlagFilter:
- properties:
- flags:
- items:
- type: string
- minItems: 1
- type: array
- required:
- - flags
- type: object
- statusCodeFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- traceableFilter:
- type: boolean
- type: object
- minItems: 2
- type: array
- celFilter:
- properties:
- match:
- type: string
- required:
- - match
- type: object
- durationFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- grpcStatusFilter:
- properties:
- exclude:
- type: boolean
- statuses:
- items:
- enum:
- - OK
- - CANCELED
- - UNKNOWN
- - INVALID_ARGUMENT
- - DEADLINE_EXCEEDED
- - NOT_FOUND
- - ALREADY_EXISTS
- - PERMISSION_DENIED
- - RESOURCE_EXHAUSTED
- - FAILED_PRECONDITION
- - ABORTED
- - OUT_OF_RANGE
- - UNIMPLEMENTED
- - INTERNAL
- - UNAVAILABLE
- - DATA_LOSS
- - UNAUTHENTICATED
- type: string
- minItems: 1
- type: array
- type: object
- headerFilter:
- properties:
- header:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- required:
- - header
- type: object
- notHealthCheckFilter:
- type: boolean
- orFilter:
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- celFilter:
- properties:
- match:
- type: string
- required:
- - match
- type: object
- durationFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- grpcStatusFilter:
- properties:
- exclude:
- type: boolean
- statuses:
- items:
- enum:
- - OK
- - CANCELED
- - UNKNOWN
- - INVALID_ARGUMENT
- - DEADLINE_EXCEEDED
- - NOT_FOUND
- - ALREADY_EXISTS
- - PERMISSION_DENIED
- - RESOURCE_EXHAUSTED
- - FAILED_PRECONDITION
- - ABORTED
- - OUT_OF_RANGE
- - UNIMPLEMENTED
- - INTERNAL
- - UNAVAILABLE
- - DATA_LOSS
- - UNAUTHENTICATED
- type: string
- minItems: 1
- type: array
- type: object
- headerFilter:
- properties:
- header:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- required:
- - header
- type: object
- notHealthCheckFilter:
- type: boolean
- responseFlagFilter:
- properties:
- flags:
- items:
- type: string
- minItems: 1
- type: array
- required:
- - flags
- type: object
- statusCodeFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- traceableFilter:
- type: boolean
- type: object
- minItems: 2
- type: array
- responseFlagFilter:
- properties:
- flags:
- items:
- type: string
- minItems: 1
- type: array
- required:
- - flags
- type: object
- statusCodeFilter:
- properties:
- op:
- enum:
- - EQ
- - GE
- - LE
- type: string
- value:
- format: int32
- maximum: 4294967295
- minimum: 0
- type: integer
- required:
- - op
- type: object
- traceableFilter:
- type: boolean
- type: object
- grpcService:
- properties:
- additionalRequestHeadersToLog:
- items:
- type: string
- type: array
- additionalResponseHeadersToLog:
- items:
- type: string
- type: array
- additionalResponseTrailersToLog:
- items:
- type: string
- type: array
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- initialMetadata:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- type: object
- type: array
- logName:
- type: string
- maxReceiveMessageLength:
- format: int32
- type: integer
- retryPolicy:
- properties:
- numRetries:
- format: int32
- type: integer
- retryBackOff:
- properties:
- baseInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- maxInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - baseInterval
- type: object
- type: object
- skipEnvoyHeaders:
- type: boolean
- timeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - backendRef
- - logName
- type: object
- openTelemetry:
- properties:
- attributes:
- properties:
- values:
- items:
- properties:
- key:
- type: string
- value:
- maxProperties: 1
- minProperties: 1
- properties:
- arrayValue:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- kvListValue:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- stringValue:
- type: string
- type: object
- required:
- - key
- - value
- type: object
- type: array
- type: object
- body:
- type: string
- disableBuiltinLabels:
- type: boolean
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- initialMetadata:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- type: object
- type: array
- logName:
- type: string
- maxReceiveMessageLength:
- format: int32
- type: integer
- retryPolicy:
- properties:
- numRetries:
- format: int32
- type: integer
- retryBackOff:
- properties:
- baseInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- maxInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - baseInterval
- type: object
- type: object
- skipEnvoyHeaders:
- type: boolean
- timeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - backendRef
- - logName
- type: object
- resourceAttributes:
- properties:
- values:
- items:
- properties:
- key:
- type: string
- value:
- maxProperties: 1
- minProperties: 1
- properties:
- arrayValue:
- items:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: array
- kvListValue:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- stringValue:
- type: string
- type: object
- required:
- - key
- - value
- type: object
- type: array
- type: object
- required:
- - grpcService
- type: object
- type: object
- maxItems: 16
- type: array
- defaultHostForHttp10:
- minLength: 1
- type: string
- healthCheck:
- properties:
- path:
- maxLength: 2048
- pattern: ^/[-a-zA-Z0-9@:%.+~#?&/=_]+$
- type: string
- required:
- - path
- type: object
- idleTimeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- preserveHttp1HeaderCase:
- type: boolean
- serverHeaderTransformation:
- enum:
- - Overwrite
- - AppendIfAbsent
- - PassThrough
- type: string
- streamIdleTimeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- targetRefs:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 16
- minItems: 1
- type: array
- x-kubernetes-validations:
- - message: targetRefs may only reference Gateway resources
- rule: self.all(r, r.kind == 'Gateway' && (!has(r.group) || r.group
- == 'gateway.networking.k8s.io'))
- targetSelectors:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- matchLabels:
- additionalProperties:
- type: string
- type: object
- required:
- - group
- - kind
- - matchLabels
- type: object
- type: array
- x-kubernetes-validations:
- - message: targetSelectors may only reference Gateway resources
- rule: self.all(r, r.kind == 'Gateway' && (!has(r.group) || r.group
- == 'gateway.networking.k8s.io'))
- tracing:
- properties:
- attributes:
- items:
- maxProperties: 2
- minProperties: 1
- properties:
- environment:
- properties:
- defaultValue:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- literal:
- properties:
- value:
- type: string
- required:
- - value
- type: object
- metadata:
- properties:
- defaultValue:
- type: string
- kind:
- enum:
- - Request
- - Route
- - Cluster
- - Host
- type: string
- metadataKey:
- properties:
- key:
- type: string
- path:
- items:
- properties:
- key:
- type: string
- required:
- - key
- type: object
- type: array
- required:
- - key
- - path
- type: object
- required:
- - kind
- - metadataKey
- type: object
- name:
- type: string
- requestHeader:
- properties:
- defaultValue:
- type: string
- name:
- type: string
- required:
- - name
- type: object
- required:
- - name
- type: object
- type: array
- clientSampling:
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- maxPathTagLength:
- format: int32
- type: integer
- overallSampling:
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- provider:
- maxProperties: 1
- minProperties: 1
- properties:
- openTelemetry:
- properties:
- grpcService:
- properties:
- authority:
- type: string
- backendRef:
- properties:
- group:
- default: ""
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Service
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- weight:
- default: 1
- format: int32
- maximum: 1000000
- minimum: 0
- type: integer
- required:
- - name
- type: object
- x-kubernetes-validations:
- - message: Must have port for Service reference
- rule: '(size(self.group) == 0 && self.kind == ''Service'')
- ? has(self.port) : true'
- initialMetadata:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- type: object
- type: array
- maxReceiveMessageLength:
- format: int32
- type: integer
- retryPolicy:
- properties:
- numRetries:
- format: int32
- type: integer
- retryBackOff:
- properties:
- baseInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- maxInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - baseInterval
- type: object
- type: object
- skipEnvoyHeaders:
- type: boolean
- timeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- required:
- - backendRef
- type: object
- resourceDetectors:
- items:
- maxProperties: 1
- minProperties: 1
- properties:
- environmentResourceDetector:
- type: object
- type: object
- type: array
- sampler:
- maxProperties: 1
- minProperties: 1
- properties:
- alwaysOnConfig:
- type: object
- type: object
- serviceName:
- type: string
- required:
- - grpcService
- type: object
- type: object
- randomSampling:
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- spawnUpstreamSpan:
- type: boolean
- verbose:
- type: boolean
- required:
- - provider
- type: object
- upgradeConfig:
- properties:
- enabledUpgrades:
- items:
- type: string
- minItems: 1
- type: array
- type: object
- useRemoteAddress:
- type: boolean
- xffNumTrustedHops:
- format: int32
- minimum: 0
- type: integer
- type: object
- status:
- properties:
- ancestors:
- items:
- properties:
- ancestorRef:
- properties:
- group:
- default: gateway.networking.k8s.io
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- controllerName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- required:
- - ancestorRef
- - controllerName
- type: object
- maxItems: 16
- type: array
- required:
- - ancestors
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_trafficpolicies.yaml b/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_trafficpolicies.yaml
deleted file mode 100644
index 35e6f4d6..00000000
--- a/sources/kgateway-crds/v2.1.0-main/templates/gateway.kgateway.dev_trafficpolicies.yaml
+++ /dev/null
@@ -1,1103 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.1-0.20250625175829-8d11ce77f347
- labels:
- app: kgateway
- app.kubernetes.io/name: kgateway
- gateway.networking.k8s.io/policy: Direct
- name: trafficpolicies.gateway.kgateway.dev
-spec:
- group: gateway.kgateway.dev
- names:
- categories:
- - kgateway
- kind: TrafficPolicy
- listKind: TrafficPolicyList
- plural: trafficpolicies
- singular: trafficpolicy
- scope: Namespaced
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- properties:
- apiVersion:
- type: string
- kind:
- type: string
- metadata:
- type: object
- spec:
- properties:
- ai:
- properties:
- defaults:
- items:
- properties:
- field:
- minLength: 1
- type: string
- override:
- default: false
- type: boolean
- value:
- minLength: 1
- type: string
- required:
- - field
- - value
- type: object
- type: array
- promptEnrichment:
- properties:
- append:
- items:
- properties:
- content:
- type: string
- role:
- type: string
- required:
- - content
- - role
- type: object
- type: array
- prepend:
- items:
- properties:
- content:
- type: string
- role:
- type: string
- required:
- - content
- - role
- type: object
- type: array
- type: object
- promptGuard:
- properties:
- request:
- properties:
- customResponse:
- properties:
- message:
- default: The request was rejected due to inappropriate
- content
- type: string
- statusCode:
- default: 403
- format: int32
- maximum: 599
- minimum: 200
- type: integer
- type: object
- moderation:
- properties:
- openAIModeration:
- properties:
- authToken:
- properties:
- inline:
- type: string
- kind:
- enum:
- - Inline
- - SecretRef
- - Passthrough
- type: string
- secretRef:
- properties:
- name:
- default: ""
- type: string
- type: object
- x-kubernetes-map-type: atomic
- required:
- - kind
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [inline
- secretRef] may be set
- rule: '[has(self.inline),has(self.secretRef)].filter(x,x==true).size()
- <= 1'
- model:
- type: string
- required:
- - authToken
- type: object
- type: object
- regex:
- properties:
- action:
- default: MASK
- type: string
- builtins:
- items:
- enum:
- - SSN
- - CREDIT_CARD
- - PHONE_NUMBER
- - EMAIL
- type: string
- type: array
- matches:
- items:
- properties:
- name:
- type: string
- pattern:
- type: string
- type: object
- type: array
- type: object
- webhook:
- properties:
- forwardHeaders:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- host:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- required:
- - host
- type: object
- type: object
- response:
- properties:
- regex:
- properties:
- action:
- default: MASK
- type: string
- builtins:
- items:
- enum:
- - SSN
- - CREDIT_CARD
- - PHONE_NUMBER
- - EMAIL
- type: string
- type: array
- matches:
- items:
- properties:
- name:
- type: string
- pattern:
- type: string
- type: object
- type: array
- type: object
- webhook:
- properties:
- forwardHeaders:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- type:
- default: Exact
- enum:
- - Exact
- - RegularExpression
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- type: array
- host:
- properties:
- host:
- minLength: 1
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- required:
- - host
- - port
- type: object
- required:
- - host
- type: object
- type: object
- type: object
- routeType:
- default: CHAT
- enum:
- - CHAT
- - CHAT_STREAMING
- type: string
- type: object
- autoHostRewrite:
- type: boolean
- buffer:
- properties:
- disable:
- type: object
- maxRequestSize:
- anyOf:
- - type: integer
- - type: string
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- x-kubernetes-validations:
- - message: maxRequestSize must be greater than 0 and less than
- 4Gi
- rule: (type(self) == int && int(self) > 0 && int(self) < 4294967296)
- || (type(self) == string && quantity(self).isGreaterThan(quantity('0'))
- && quantity(self).isLessThan(quantity('4Gi')))
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [maxRequestSize disable] must
- be set
- rule: '[has(self.maxRequestSize),has(self.disable)].filter(x,x==true).size()
- == 1'
- cors:
- properties:
- allowCredentials:
- enum:
- - true
- type: boolean
- allowHeaders:
- items:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- allowMethods:
- items:
- enum:
- - GET
- - HEAD
- - POST
- - PUT
- - DELETE
- - CONNECT
- - OPTIONS
- - TRACE
- - PATCH
- - '*'
- type: string
- maxItems: 9
- type: array
- x-kubernetes-list-type: set
- x-kubernetes-validations:
- - message: AllowMethods cannot contain '*' alongside other methods
- rule: '!(''*'' in self && self.size() > 1)'
- allowOrigins:
- items:
- maxLength: 253
- minLength: 1
- pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- disable:
- type: object
- exposeHeaders:
- items:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- maxItems: 64
- type: array
- x-kubernetes-list-type: set
- maxAge:
- default: 5
- format: int32
- minimum: 1
- type: integer
- type: object
- x-kubernetes-preserve-unknown-fields: true
- csrf:
- properties:
- additionalOrigins:
- items:
- properties:
- contains:
- type: string
- exact:
- type: string
- ignoreCase:
- default: false
- type: boolean
- prefix:
- type: string
- safeRegex:
- type: string
- suffix:
- type: string
- required:
- - ignoreCase
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [exact prefix suffix
- contains safeRegex] must be set
- rule: '[has(self.exact),has(self.prefix),has(self.suffix),has(self.contains),has(self.safeRegex)].filter(x,x==true).size()
- == 1'
- maxItems: 16
- type: array
- percentageEnabled:
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- percentageShadowed:
- format: int32
- maximum: 100
- minimum: 0
- type: integer
- type: object
- x-kubernetes-validations:
- - message: at most one of the fields in [percentageEnabled percentageShadowed]
- may be set
- rule: '[has(self.percentageEnabled),has(self.percentageShadowed)].filter(x,x==true).size()
- <= 1'
- extAuth:
- properties:
- contextExtensions:
- additionalProperties:
- type: string
- type: object
- disable:
- type: object
- extensionRef:
- properties:
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- withRequestBody:
- properties:
- allowPartialMessage:
- type: boolean
- maxRequestBytes:
- format: int32
- minimum: 1
- type: integer
- packAsBytes:
- type: boolean
- required:
- - maxRequestBytes
- type: object
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [extensionRef disable] must
- be set
- rule: '[has(self.extensionRef),has(self.disable)].filter(x,x==true).size()
- == 1'
- extProc:
- properties:
- disable:
- type: object
- extensionRef:
- properties:
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- processingMode:
- properties:
- requestBodyMode:
- default: NONE
- enum:
- - NONE
- - STREAMED
- - BUFFERED
- - BUFFERED_PARTIAL
- - FULL_DUPLEX_STREAMED
- type: string
- requestHeaderMode:
- default: SEND
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- requestTrailerMode:
- default: SKIP
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- responseBodyMode:
- default: NONE
- enum:
- - NONE
- - STREAMED
- - BUFFERED
- - BUFFERED_PARTIAL
- - FULL_DUPLEX_STREAMED
- type: string
- responseHeaderMode:
- default: SEND
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- responseTrailerMode:
- default: SKIP
- enum:
- - DEFAULT
- - SEND
- - SKIP
- type: string
- type: object
- type: object
- x-kubernetes-validations:
- - message: exactly one of the fields in [extensionRef disable] must
- be set
- rule: '[has(self.extensionRef),has(self.disable)].filter(x,x==true).size()
- == 1'
- headerModifiers:
- properties:
- request:
- properties:
- add:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- response:
- properties:
- add:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- remove:
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- items:
- properties:
- name:
- maxLength: 256
- minLength: 1
- pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
- type: string
- value:
- maxLength: 4096
- minLength: 1
- type: string
- required:
- - name
- - value
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- x-kubernetes-validations:
- - message: At least one of request or response must be provided.
- rule: has(self.request) || has(self.response)
- rateLimit:
- properties:
- global:
- properties:
- descriptors:
- items:
- properties:
- entries:
- items:
- properties:
- generic:
- properties:
- key:
- minLength: 1
- type: string
- value:
- minLength: 1
- type: string
- required:
- - key
- - value
- type: object
- header:
- minLength: 1
- type: string
- type:
- enum:
- - Generic
- - Header
- - RemoteAddress
- - Path
- type: string
- required:
- - type
- type: object
- x-kubernetes-validations:
- - message: exactly one entry type must be specified
- rule: (has(self.type) && (self.type == 'Generic'
- && has(self.generic) && !has(self.header)) ||
- (self.type == 'Header' && has(self.header) &&
- !has(self.generic)) || (self.type == 'RemoteAddress'
- && !has(self.generic) && !has(self.header)) ||
- (self.type == 'Path' && !has(self.generic) &&
- !has(self.header)))
- minItems: 1
- type: array
- required:
- - entries
- type: object
- minItems: 1
- type: array
- extensionRef:
- properties:
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - descriptors
- - extensionRef
- type: object
- local:
- properties:
- tokenBucket:
- properties:
- fillInterval:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- maxTokens:
- format: int32
- minimum: 1
- type: integer
- tokensPerFill:
- default: 1
- format: int32
- minimum: 1
- type: integer
- required:
- - fillInterval
- - maxTokens
- type: object
- type: object
- type: object
- rbac:
- properties:
- action:
- default: Allow
- enum:
- - Allow
- - Deny
- type: string
- policy:
- properties:
- matchExpressions:
- items:
- type: string
- minItems: 1
- type: array
- type: object
- required:
- - policy
- type: object
- retry:
- properties:
- attempts:
- default: 1
- format: int32
- minimum: 0
- type: integer
- backoffBaseInterval:
- default: 25ms
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- - message: retry.backoffBaseInterval must be at least 1ms.
- rule: duration(self) >= duration('1ms')
- perTryTimeout:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- - message: retry.perTryTimeout must be at least 1ms.
- rule: duration(self) >= duration('1ms')
- retryOn:
- items:
- enum:
- - 5xx
- - gateway-error
- - reset
- - reset-before-request
- - connect-failure
- - envoy-ratelimited
- - retriable-4xx
- - refused-stream
- - retriable-status-codes
- - http3-post-connect-failure
- - cancelled
- - deadline-exceeded
- - internal
- - resource-exhausted
- - unavailable
- type: string
- minItems: 1
- type: array
- statusCodes:
- items:
- maximum: 599
- minimum: 400
- type: integer
- minItems: 1
- type: array
- type: object
- x-kubernetes-validations:
- - message: retryOn or statusCodes must be set.
- rule: has(self.retryOn) || has(self.statusCodes)
- targetRefs:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- sectionName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - group
- - kind
- - name
- type: object
- maxItems: 16
- minItems: 1
- type: array
- x-kubernetes-validations:
- - message: targetRefs may only reference Gateway, HTTPRoute, XListenerSet,
- or Backend resources
- rule: self.all(r, (r.kind == 'Backend' || r.kind == 'Gateway' ||
- r.kind == 'HTTPRoute' || (r.kind == 'XListenerSet' && r.group
- == 'gateway.networking.x-k8s.io')) && (!has(r.group) || r.group
- == 'gateway.networking.k8s.io' || r.group == 'gateway.networking.x-k8s.io'
- || r.group == 'gateway.kgateway.dev' ))
- targetSelectors:
- items:
- properties:
- group:
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- matchLabels:
- additionalProperties:
- type: string
- type: object
- sectionName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - group
- - kind
- - matchLabels
- type: object
- type: array
- x-kubernetes-validations:
- - message: targetSelectors may only reference Gateway, HTTPRoute,
- or XListenerSet resources
- rule: self.all(r, (r.kind == 'Gateway' || r.kind == 'HTTPRoute'
- || (r.kind == 'XListenerSet' && r.group == 'gateway.networking.x-k8s.io'))
- && (!has(r.group) || r.group == 'gateway.networking.k8s.io' ||
- r.group == 'gateway.networking.x-k8s.io'))
- timeouts:
- properties:
- request:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- streamIdle:
- type: string
- x-kubernetes-validations:
- - message: invalid duration value
- rule: matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')
- type: object
- transformation:
- properties:
- request:
- properties:
- add:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- body:
- properties:
- parseAs:
- default: AsString
- enum:
- - AsString
- - AsJson
- type: string
- value:
- type: string
- required:
- - parseAs
- type: object
- remove:
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- response:
- properties:
- add:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- body:
- properties:
- parseAs:
- default: AsString
- enum:
- - AsString
- - AsJson
- type: string
- value:
- type: string
- required:
- - parseAs
- type: object
- remove:
- items:
- type: string
- maxItems: 16
- type: array
- x-kubernetes-list-type: set
- set:
- items:
- properties:
- name:
- type: string
- value:
- type: string
- required:
- - name
- type: object
- maxItems: 16
- type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
- type: object
- type: object
- type: object
- x-kubernetes-validations:
- - message: autoHostRewrite can only be used when targeting HTTPRoute resources
- rule: '!has(self.autoHostRewrite) || ((has(self.targetRefs) && self.targetRefs.all(r,
- r.kind == ''HTTPRoute'')) || (has(self.targetSelectors) && self.targetSelectors.all(r,
- r.kind == ''HTTPRoute'')))'
- - message: retry.perTryTimeout must be lesser than timeouts.request
- rule: 'has(self.retry) && has(self.timeouts) ? (has(self.retry.perTryTimeout)
- && has(self.timeouts.request) ? duration(self.retry.perTryTimeout)
- < duration(self.timeouts.request) : true) : true'
- - message: targetRefs[].sectionName must be set when targeting Gateway
- resources with retry policy
- rule: 'has(self.retry) && has(self.targetRefs) ? self.targetRefs.all(r,
- (r.kind == ''Gateway'' ? has(r.sectionName) : true )) : true'
- - message: targetSelectors[].sectionName must be set when targeting Gateway
- resources with retry policy
- rule: 'has(self.retry) && has(self.targetSelectors) ? self.targetSelectors.all(r,
- (r.kind == ''Gateway'' ? has(r.sectionName) : true )) : true'
- status:
- properties:
- ancestors:
- items:
- properties:
- ancestorRef:
- properties:
- group:
- default: gateway.networking.k8s.io
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- default: Gateway
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- maxLength: 253
- minLength: 1
- type: string
- namespace:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- port:
- format: int32
- maximum: 65535
- minimum: 1
- type: integer
- sectionName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - name
- type: object
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- maxLength: 32768
- type: string
- observedGeneration:
- format: int64
- minimum: 0
- type: integer
- reason:
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- maxItems: 8
- minItems: 1
- type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
- controllerName:
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
- type: string
- required:
- - ancestorRef
- - controllerName
- type: object
- maxItems: 16
- type: array
- required:
- - ancestors
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
diff --git a/sources/kgateway-crds/v2.1.0-main/values.yaml b/sources/kgateway-crds/v2.1.0-main/values.yaml
deleted file mode 100644
index 67d2386d..00000000
--- a/sources/kgateway-crds/v2.1.0-main/values.yaml
+++ /dev/null
@@ -1 +0,0 @@
-# Default values for kgateway-crds.
diff --git a/sources/kgateway/source.yaml b/sources/kgateway/source.yaml
deleted file mode 100644
index a2248dac..00000000
--- a/sources/kgateway/source.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-sourceUrl: oci://cr.kgateway.dev/kgateway-dev/charts/kgateway
-sourceVersion: v2.1.0-main
\ No newline at end of file
diff --git a/sources/kgateway/v2.0.4/.helmignore b/sources/kgateway/v2.0.4/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/sources/kgateway/v2.0.4/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/sources/kgateway/v2.0.4/Chart.yaml b/sources/kgateway/v2.0.4/Chart.yaml
deleted file mode 100644
index 5330c73d..00000000
--- a/sources/kgateway/v2.0.4/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-appVersion: 1.16.0
-description: A Helm chart for the kgateway project
-name: kgateway
-type: application
-version: v2.0.4
diff --git a/sources/kgateway/v2.0.4/templates/_helpers.tpl b/sources/kgateway/v2.0.4/templates/_helpers.tpl
deleted file mode 100644
index 08aa9768..00000000
--- a/sources/kgateway/v2.0.4/templates/_helpers.tpl
+++ /dev/null
@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "kgateway.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "kgateway.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "kgateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "kgateway.labels" -}}
-helm.sh/chart: {{ include "kgateway.chart" . }}
-{{ include "kgateway.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "kgateway.selectorLabels" -}}
-kgateway: kgateway
-app.kubernetes.io/name: {{ include "kgateway.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "kgateway.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "kgateway.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
diff --git a/sources/kgateway/v2.0.4/templates/deployment.yaml b/sources/kgateway/v2.0.4/templates/deployment.yaml
deleted file mode 100644
index d8ac8f73..00000000
--- a/sources/kgateway/v2.0.4/templates/deployment.yaml
+++ /dev/null
@@ -1,104 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "kgateway.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kgateway.labels" . | nindent 4 }}
-spec:
- replicas: {{ .Values.controller.replicaCount }}
- selector:
- matchLabels:
- {{- include "kgateway.selectorLabels" . | nindent 6 }}
- template:
- metadata:
- {{- with .Values.podAnnotations }}
- annotations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- labels:
- {{- include "kgateway.selectorLabels" . | nindent 8 }}
- spec:
- {{- with .Values.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- serviceAccountName: {{ include "kgateway.serviceAccountName" . }}
- securityContext:
- {{- toYaml .Values.podSecurityContext | nindent 8 }}
- containers:
- - name: {{ .Chart.Name }}
- securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
- image: "{{ .Values.controller.image.registry | default .Values.image.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Values.image.tag | default .Chart.Version }}"
- imagePullPolicy: {{ .Values.controller.image.pullPolicy | default .Values.image.pullPolicy }}
- ports:
- - containerPort: {{ .Values.controller.service.ports.grpc }}
- name: grpc-xds
- protocol: TCP
- - containerPort: {{ .Values.controller.service.ports.health }}
- name: health
- protocol: TCP
- readinessProbe:
- httpGet:
- path: /readyz
- port: {{ .Values.controller.service.ports.health }}
- initialDelaySeconds: 3
- periodSeconds: 10
- env:
- - name: GOMEMLIMIT
- valueFrom:
- resourceFieldRef:
- divisor: "1"
- resource: limits.memory
- - name: GOMAXPROCS
- valueFrom:
- resourceFieldRef:
- divisor: "1"
- resource: limits.cpu
- - name: LOG_LEVEL
- value: {{ .Values.controller.logLevel | quote }}
- - name: KGW_XDS_SERVICE_NAME
- value: {{ include "kgateway.fullname" . }}
- - name: KGW_XDS_SERVICE_PORT
- value: {{ .Values.controller.service.ports.grpc | quote }}
- {{- if .Values.inferenceExtension.enabled }}
- - name: KGW_ENABLE_INFER_EXT
- value: "true"
- {{- end }}
- {{- if .Values.inferenceExtension.autoProvision }}
- - name: KGW_INFER_EXT_AUTO_PROVISION
- value: "true"
- {{- end }}
- - name: KGW_DEFAULT_IMAGE_REGISTRY
- value: {{ .Values.image.registry }}
- - name: KGW_DEFAULT_IMAGE_TAG
- value: {{ .Values.image.tag | default .Chart.Version }}
- - name: KGW_DEFAULT_IMAGE_PULL_POLICY
- value: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
- {{- if .Values.controller.extraEnv }}
- {{- range $key, $value := .Values.controller.extraEnv }}
- - name: {{ $key }}
- value: {{ $value | quote }}
- {{- end }}
- {{- end }}
- # TODO: Remove this once the cleanup is done. Required as the gloo-system
- # namespace is the default namespace and conformance will fail as a result.
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {{- toYaml .Values.resources | nindent 12 }}
- {{- with .Values.nodeSelector }}
- nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.tolerations }}
- tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
diff --git a/sources/kgateway/v2.0.4/templates/inf_ext_rbac.yaml b/sources/kgateway/v2.0.4/templates/inf_ext_rbac.yaml
deleted file mode 100644
index c11f4e1e..00000000
--- a/sources/kgateway/v2.0.4/templates/inf_ext_rbac.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{- if .Values.inferenceExtension.enabled }}
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kgateway-inference-extension
-rules:
-- apiGroups: ["inference.networking.x-k8s.io"]
- resources: ["inferencemodels"]
- verbs: ["get", "watch", "list"]
-- apiGroups: [""]
- resources: ["pods"]
- verbs: ["get", "watch", "list"]
-- apiGroups: ["inference.networking.x-k8s.io"]
- resources: ["inferencepools"]
- verbs: ["get", "watch", "list", "update"]
-- apiGroups: ["inference.networking.x-k8s.io"]
- resources: ["inferencepools/status"]
- verbs: ["update"]
-- apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "watch", "list"]
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterrolebindings
- - clusterroles
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "kgateway.name" . }}-inference-extension-role
-subjects:
-- kind: ServiceAccount
- name: {{ include "kgateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-roleRef:
- kind: ClusterRole
- name: {{ include "kgateway.name" . }}-inference-extension
- apiGroup: rbac.authorization.k8s.io
-{{- end }}
diff --git a/sources/kgateway/v2.0.4/templates/role.yaml b/sources/kgateway/v2.0.4/templates/role.yaml
deleted file mode 100644
index 657a3b8b..00000000
--- a/sources/kgateway/v2.0.4/templates/role.yaml
+++ /dev/null
@@ -1,148 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kgateway
-rules:
-- apiGroups:
- - ""
- resources:
- - configmaps
- - secrets
- - serviceaccounts
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - watch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - namespaces
- - nodes
- - pods
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resources:
- - services
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - apps
- resources:
- - deployments
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.kgateway.dev
- resources:
- - backends
- - directresponses
- - gatewayextensions
- - gatewayparameters
- - httplistenerpolicies
- - trafficpolicies
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.kgateway.dev
- resources:
- - backends/status
- - directresponses/status
- - gatewayextensions/status
- - gatewayparameters/status
- - httplistenerpolicies/status
- - trafficpolicies/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - gateway.networking.k8s.io
- resources:
- - backendtlspolicies
- - gateways
- - httproutes
- - referencegrants
- - tcproutes
- - tlsroutes
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.networking.k8s.io
- resources:
- - backendtlspolicies/status
- - gatewayclasses/status
- - gateways/status
- - httproutes/status
- - tcproutes/status
- - tlsroutes/status
- verbs:
- - patch
- - update
-- apiGroups:
- - gateway.networking.k8s.io
- resources:
- - gatewayclasses
- verbs:
- - create
- - get
- - list
- - watch
-- apiGroups:
- - networking.istio.io
- resources:
- - destinationrules
- - serviceentries
- - workloadentries
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - security.istio.io
- resources:
- - authorizationpolicies
- verbs:
- - get
- - list
- - watch
diff --git a/sources/kgateway/v2.0.4/templates/service.yaml b/sources/kgateway/v2.0.4/templates/service.yaml
deleted file mode 100644
index 40f0caec..00000000
--- a/sources/kgateway/v2.0.4/templates/service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "kgateway.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kgateway.labels" . | nindent 4 }}
-spec:
- type: {{ .Values.controller.service.type }}
- ports:
- - name: grpc-xds
- protocol: TCP
- port: {{ .Values.controller.service.ports.grpc }}
- targetPort: {{ .Values.controller.service.ports.grpc }}
- selector:
- {{- include "kgateway.selectorLabels" . | nindent 4 }}
diff --git a/sources/kgateway/v2.0.4/templates/serviceaccount.yaml b/sources/kgateway/v2.0.4/templates/serviceaccount.yaml
deleted file mode 100644
index 23d17a15..00000000
--- a/sources/kgateway/v2.0.4/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "kgateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kgateway.labels" . | nindent 4 }}
- {{- with .Values.serviceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "kgateway.name" . }}-role
-subjects:
-- kind: ServiceAccount
- name: {{ include "kgateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-roleRef:
- kind: ClusterRole
- name: kgateway
- apiGroup: rbac.authorization.k8s.io
diff --git a/sources/kgateway/v2.0.4/values.yaml b/sources/kgateway/v2.0.4/values.yaml
deleted file mode 100644
index 02e462b3..00000000
--- a/sources/kgateway/v2.0.4/values.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
- # Specifies whether a service account should be created
- create: true
- # Annotations to add to the service account
- annotations: {}
- # The name of the service account to use.
- # If not set and create is true, a name is generated using the fullname template
- name: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
- # fsGroup: 2000
-
-securityContext: {}
- # capabilities:
- # drop:
- # - ALL
- # readOnlyRootFilesystem: true
- # runAsNonRoot: true
- # runAsUser: 1000
-
-resources: {}
- # We usually recommend not to specify default resources and to leave this as a conscious
- # choice for the user. This also increases chances charts run on environments with little
- # resources, such as Minikube. If you do want to specify resources, uncomment the following
- # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
- # limits:
- # cpu: 100m
- # memory: 128Mi
- # requests:
- # cpu: 100m
- # memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-controller:
- replicaCount: 1
- logLevel: info
- image:
- registry: ""
- repository: kgateway
- pullPolicy: ""
- tag: ""
- service:
- type: ClusterIP
- ports:
- grpc: 9977
- health: 9093
- extraEnv: {}
-
-image:
- registry: cr.kgateway.dev/kgateway-dev
- tag: ""
- pullPolicy: IfNotPresent
-
-inferenceExtension:
- enabled: false
- autoProvision: false
diff --git a/sources/kgateway/v2.1.0-main/.helmignore b/sources/kgateway/v2.1.0-main/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/sources/kgateway/v2.1.0-main/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/sources/kgateway/v2.1.0-main/Chart.yaml b/sources/kgateway/v2.1.0-main/Chart.yaml
deleted file mode 100644
index bb7d2871..00000000
--- a/sources/kgateway/v2.1.0-main/Chart.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-apiVersion: v2
-appVersion: 1.16.0
-description: A Helm chart for the kgateway project
-icon: https://raw.githubusercontent.com/kgateway-dev/kgateway.dev/main/static/favicon.svg
-name: kgateway
-type: application
-version: v2.1.0-main
diff --git a/sources/kgateway/v2.1.0-main/templates/NOTES.txt b/sources/kgateway/v2.1.0-main/templates/NOTES.txt
deleted file mode 100644
index bd65c3e2..00000000
--- a/sources/kgateway/v2.1.0-main/templates/NOTES.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-Thank you for installing the {{ .Chart.Name }} chart.
-
-Your release "{{ .Release.Name }}" has been deployed in the "{{ .Release.Namespace }}" namespace.
-
-To check the status of the deployment:
-
- helm status {{ .Release.Name }} --namespace {{ .Release.Namespace }}
-
-To view the resources created by this chart:
-
- kubectl get all -n {{ .Release.Namespace }}
-
-To learn how to access and use kgateway, please visit the official documentation:
-
- https://kgateway.dev/docs/
-
-To uninstall the kgateway deployment:
-
- helm uninstall {{ .Release.Name }} --namespace {{ .Release.Namespace }}
diff --git a/sources/kgateway/v2.1.0-main/templates/_helpers.tpl b/sources/kgateway/v2.1.0-main/templates/_helpers.tpl
deleted file mode 100644
index 08aa9768..00000000
--- a/sources/kgateway/v2.1.0-main/templates/_helpers.tpl
+++ /dev/null
@@ -1,63 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "kgateway.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "kgateway.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "kgateway.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "kgateway.labels" -}}
-helm.sh/chart: {{ include "kgateway.chart" . }}
-{{ include "kgateway.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "kgateway.selectorLabels" -}}
-kgateway: kgateway
-app.kubernetes.io/name: {{ include "kgateway.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "kgateway.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "kgateway.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
diff --git a/sources/kgateway/v2.1.0-main/templates/deployment.yaml b/sources/kgateway/v2.1.0-main/templates/deployment.yaml
deleted file mode 100644
index adf0ed49..00000000
--- a/sources/kgateway/v2.1.0-main/templates/deployment.yaml
+++ /dev/null
@@ -1,119 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "kgateway.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kgateway.labels" . | nindent 4 }}
- {{- with .Values.deploymentAnnotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-spec:
- replicas: {{ .Values.controller.replicaCount }}
- selector:
- matchLabels:
- {{- include "kgateway.selectorLabels" . | nindent 6 }}
- template:
- metadata:
- annotations:
- prometheus.io/path: "/metrics"
- prometheus.io/port: {{ .Values.controller.service.ports.metrics | default 9092 | quote}}
- {{- toYaml .Values.podAnnotations | nindent 8 }}
- labels:
- {{- include "kgateway.selectorLabels" . | nindent 8 }}
- spec:
- {{- with .Values.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- serviceAccountName: {{ include "kgateway.serviceAccountName" . }}
- securityContext:
- {{- toYaml .Values.podSecurityContext | nindent 8 }}
- containers:
- - name: {{ .Chart.Name }}
- securityContext:
- {{- toYaml .Values.securityContext | nindent 12 }}
- image: "{{ .Values.controller.image.registry | default .Values.image.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Values.image.tag | default .Chart.Version }}"
- imagePullPolicy: {{ .Values.controller.image.pullPolicy | default .Values.image.pullPolicy }}
- ports:
- - containerPort: {{ .Values.controller.service.ports.grpc }}
- name: grpc-xds
- protocol: TCP
- - containerPort: {{ .Values.controller.service.ports.health }}
- name: health
- protocol: TCP
- - containerPort: {{ .Values.controller.service.ports.metrics }}
- name: metrics
- protocol: TCP
- readinessProbe:
- httpGet:
- path: /readyz
- port: {{ .Values.controller.service.ports.health }}
- initialDelaySeconds: 3
- periodSeconds: 10
- env:
- - name: GOMEMLIMIT
- valueFrom:
- resourceFieldRef:
- divisor: "1"
- resource: limits.memory
- - name: GOMAXPROCS
- valueFrom:
- resourceFieldRef:
- divisor: "1"
- resource: limits.cpu
- - name: KGW_LOG_LEVEL
- value: {{ .Values.controller.logLevel | quote }}
- - name: KGW_XDS_SERVICE_NAME
- value: {{ include "kgateway.fullname" . }}
- - name: KGW_XDS_SERVICE_PORT
- value: {{ .Values.controller.service.ports.grpc | quote }}
- {{- if .Values.inferenceExtension.enabled }}
- - name: KGW_ENABLE_INFER_EXT
- value: "true"
- {{- end }}
- {{- if .Values.inferenceExtension.autoProvision }}
- - name: KGW_INFER_EXT_AUTO_PROVISION
- value: "true"
- {{- end }}
- - name: KGW_DEFAULT_IMAGE_REGISTRY
- value: {{ .Values.image.registry }}
- - name: KGW_DEFAULT_IMAGE_TAG
- value: {{ .Values.image.tag | default .Chart.Version }}
- - name: KGW_DEFAULT_IMAGE_PULL_POLICY
- value: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
- - name: KGW_DISCOVERY_NAMESPACE_SELECTORS
- value: {{ .Values.discoveryNamespaceSelectors | toJson | quote }}
- - name: KGW_POLICY_MERGE
- value: {{ .Values.policyMerge | toJson | quote }}
- {{- if .Values.controller.extraEnv }}
- {{- range $key, $value := .Values.controller.extraEnv }}
- - name: {{ $key }}
- value: {{ $value | quote }}
- {{- end }}
- {{- end }}
- {{- if .Values.agentGateway.enabled }}
- - name: KGW_ENABLE_AGENT_GATEWAY
- value: "true"
- {{- end }}
- # TODO: Remove this once the cleanup is done. Required as the gloo-system
- # namespace is the default namespace and conformance will fail as a result.
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- fieldPath: metadata.namespace
- resources:
- {{- toYaml .Values.resources | nindent 12 }}
- {{- with .Values.nodeSelector }}
- nodeSelector:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.affinity }}
- affinity:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- {{- with .Values.tolerations }}
- tolerations:
- {{- toYaml . | nindent 8 }}
- {{- end }}
diff --git a/sources/kgateway/v2.1.0-main/templates/inf_ext_rbac.yaml b/sources/kgateway/v2.1.0-main/templates/inf_ext_rbac.yaml
deleted file mode 100644
index 291e4fa7..00000000
--- a/sources/kgateway/v2.1.0-main/templates/inf_ext_rbac.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-{{- if .Values.inferenceExtension.enabled }}
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: kgateway-inference-extension-{{ .Release.Namespace }}
-rules:
-- apiGroups: ["inference.networking.x-k8s.io"]
- resources: ["inferenceobjectives"]
- verbs: ["get", "watch", "list"]
-- apiGroups: [""]
- resources: ["pods"]
- verbs: ["get", "watch", "list"]
-- apiGroups: ["inference.networking.k8s.io"]
- resources: ["inferencepools"]
- verbs: ["get", "watch", "list", "update"]
-- apiGroups: ["inference.networking.k8s.io"]
- resources: ["inferencepools/status"]
- verbs: ["update"]
-- apiGroups: ["discovery.k8s.io"]
- resources: ["endpointslices"]
- verbs: ["get", "watch", "list"]
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
-- apiGroups:
- - rbac.authorization.k8s.io
- resources:
- - clusterrolebindings
- - clusterroles
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "kgateway.name" . }}-inference-extension-role-{{ .Release.Namespace }}
-subjects:
-- kind: ServiceAccount
- name: {{ include "kgateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-roleRef:
- kind: ClusterRole
- name: {{ include "kgateway.name" . }}-inference-extension-{{ .Release.Namespace }}
- apiGroup: rbac.authorization.k8s.io
-{{- end }}
diff --git a/sources/kgateway/v2.1.0-main/templates/role.yaml b/sources/kgateway/v2.1.0-main/templates/role.yaml
deleted file mode 100644
index 0b344283..00000000
--- a/sources/kgateway/v2.1.0-main/templates/role.yaml
+++ /dev/null
@@ -1,182 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: kgateway-{{ .Release.Namespace }}
-rules:
-- apiGroups:
- - ""
- resources:
- - configmaps
- - secrets
- - serviceaccounts
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - watch
-- apiGroups:
- - ""
- resources:
- - endpoints
- - namespaces
- - nodes
- - pods
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - ""
- resources:
- - services
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - apps
- resources:
- - deployments
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - coordination.k8s.io
- resources:
- - leases
- verbs:
- - create
- - get
- - update
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.kgateway.dev
- resources:
- - backendconfigpolicies
- - backends
- - directresponses
- - gatewayextensions
- - gatewayparameters
- - httplistenerpolicies
- - trafficpolicies
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.kgateway.dev
- resources:
- - backendconfigpolicies/status
- - backends/status
- - directresponses/status
- - gatewayextensions/status
- - gatewayparameters/status
- - httplistenerpolicies/status
- - trafficpolicies/status
- verbs:
- - get
- - patch
- - update
-- apiGroups:
- - gateway.networking.k8s.io
- resources:
- - backendtlspolicies
- - gateways
- - grpcroutes
- - httproutes
- - referencegrants
- - tcproutes
- - tlsroutes
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.networking.k8s.io
- resources:
- - backendtlspolicies/status
- - gatewayclasses/status
- - gateways/status
- - grpcroutes/status
- - httproutes/status
- - tcproutes/status
- - tlsroutes/status
- verbs:
- - patch
- - update
-- apiGroups:
- - gateway.networking.k8s.io
- resources:
- - gatewayclasses
- verbs:
- - create
- - get
- - list
- - watch
-- apiGroups:
- - gateway.networking.x-k8s.io
- resources:
- - xlistenersets
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - gateway.networking.x-k8s.io
- resources:
- - xlistenersets/status
- verbs:
- - patch
- - update
-- apiGroups:
- - networking.istio.io
- resources:
- - destinationrules
- - serviceentries
- - workloadentries
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - security.istio.io
- resources:
- - authorizationpolicies
- verbs:
- - get
- - list
- - watch
diff --git a/sources/kgateway/v2.1.0-main/templates/service.yaml b/sources/kgateway/v2.1.0-main/templates/service.yaml
deleted file mode 100644
index 40f0caec..00000000
--- a/sources/kgateway/v2.1.0-main/templates/service.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "kgateway.fullname" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kgateway.labels" . | nindent 4 }}
-spec:
- type: {{ .Values.controller.service.type }}
- ports:
- - name: grpc-xds
- protocol: TCP
- port: {{ .Values.controller.service.ports.grpc }}
- targetPort: {{ .Values.controller.service.ports.grpc }}
- selector:
- {{- include "kgateway.selectorLabels" . | nindent 4 }}
diff --git a/sources/kgateway/v2.1.0-main/templates/serviceaccount.yaml b/sources/kgateway/v2.1.0-main/templates/serviceaccount.yaml
deleted file mode 100644
index fd1cc903..00000000
--- a/sources/kgateway/v2.1.0-main/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "kgateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
- labels:
- {{- include "kgateway.labels" . | nindent 4 }}
- {{- with .Values.serviceAccount.annotations }}
- annotations:
- {{- toYaml . | nindent 4 }}
- {{- end }}
-{{- end }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: {{ include "kgateway.name" . }}-role-{{ .Release.Namespace }}
-subjects:
-- kind: ServiceAccount
- name: {{ include "kgateway.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
-roleRef:
- kind: ClusterRole
- name: kgateway-{{ .Release.Namespace }}
- apiGroup: rbac.authorization.k8s.io
diff --git a/sources/kgateway/v2.1.0-main/values.yaml b/sources/kgateway/v2.1.0-main/values.yaml
deleted file mode 100644
index 8e488e47..00000000
--- a/sources/kgateway/v2.1.0-main/values.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-# -- Set a list of image pull secrets for Kubernetes to use when pulling container images from your own private registry instead of the default kgateway registry.
-imagePullSecrets: []
-
-# -- Add a name to the default Helm base release, which is 'kgateway'. If you set 'nameOverride: "foo", the name of the resources that the Helm release creates become 'kgateway-foo', such as the deployment, service, and service account for the kgateway control plane in the kgateway-system namespace.
-nameOverride: ""
-
-# -- Override the full name of resources created by the Helm chart, which is 'kgateway'. If you set 'fullnameOverride: "foo", the full name of the resources that the Helm release creates become 'foo', such as the deployment, service, and service account for the kgateway control plane in the kgateway-system namespace.
-fullnameOverride: ""
-
-# -- Configure the service account for the deployment.
-serviceAccount:
- # -- Specify whether a service account should be created.
- create: true
- # -- Add annotations to the service account.
- annotations: {}
- # -- Set the name of the service account to use. If not set and create is true, a name is generated using the fullname template.
- name: ""
-
-# -- Add annotations to the kgateway deployment.
-deploymentAnnotations: {}
-
-# -- Add annotations to the kgateway pods.
-podAnnotations:
- prometheus.io/scrape: "true"
-
-# -- Set the pod-level security context. For example, 'fsGroup: 2000' sets the filesystem group to 2000.
-podSecurityContext: {}
-
-# -- Set the container-level security context, such as 'runAsNonRoot: true'.
-securityContext: {}
-
-# -- Configure resource requests and limits for the container, such as 'limits.cpu: 100m' or 'requests.memory: 128Mi'.
-resources: {}
-
-# -- Set node selector labels for pod scheduling, such as 'kubernetes.io/arch: amd64'.
-nodeSelector: {}
-
-# -- Set tolerations for pod scheduling, such as 'key: "nvidia.com/gpu"'.
-tolerations: []
-
-# -- Set affinity rules for pod scheduling, such as 'nodeAffinity:'.
-affinity: {}
-
-# -- Configure the kgateway control plane deployment.
-controller:
- # -- Set the number of controller pod replicas.
- replicaCount: 1
- # -- Set the log level for the controller.
- logLevel: info
- # -- Configure the controller container image.
- image:
- # -- Set the image registry for the controller.
- registry: ""
- # -- Set the image repository for the controller.
- repository: kgateway
- # -- Set the image pull policy for the controller.
- pullPolicy: ""
- # -- Set the image tag for the controller.
- tag: ""
- # -- Configure the controller service.
- service:
- # -- Set the service type for the controller.
- type: ClusterIP
- # -- Set the service ports for gRPC and health endpoints.
- ports:
- grpc: 9977
- health: 9093
- metrics: 9092
- # -- Add extra environment variables to the controller container.
- extraEnv: {}
-
-# -- Configure the default container image for the components that Helm deploys. You can override these settings for each particular component in that component's section, such as 'controller.image' for the kgateway control plane. If you use your own private registry, make sure to include the imagePullSecrets.
-image:
- # -- Set the default image registry.
- registry: cr.kgateway.dev/kgateway-dev
- # -- Set the default image tag.
- tag: ""
- # -- Set the default image pull policy.
- pullPolicy: IfNotPresent
-
-# -- Configure the integration with the Gateway API Inference Extension project, which lets you use kgateway to route to AI inference workloads like LLMs that run locally in your Kubernetes cluster. Documentation for Inference Extension can be found here: https://kgateway.dev/docs/integrations/inference-extension/
-inferenceExtension:
- # -- Enable Inference Extension.
- enabled: false
- # -- Enable automatic provisioning for Inference Extension.
- autoProvision: false
-
-# -- List of namespace selectors (OR'ed): each entry can use 'matchLabels' or 'matchExpressions' (AND'ed within each entry if used together). Kgateway includes the selected namespaces in config discovery. For more information, see the docs https://kgateway.dev/docs/operations/install/#namespace-discovery.
-discoveryNamespaceSelectors: []
-
-# -- Enable the integration with Agent Gateway, which lets you use kgateway to help manage agent connectivity across MCP servers, A2A agents, and REST APIs.
-agentGateway:
- enabled: false
-
-# -- Policy merging settings. Currently, TrafficPolicy's extAuth, extProc, and transformation policies support deep merging.
-# E.g., to enable deep merging of extProc policy in TrafficPolicy:
-# policyMerge:
-# trafficPolicy:
-# extProc: DeepMerge
-policyMerge: {}
\ No newline at end of file
diff --git a/sources/minio-tenant-config/templates/minio-httproute.yaml b/sources/minio-tenant-config/templates/minio-httproute.yaml
index 38ce31db..1080afee 100644
--- a/sources/minio-tenant-config/templates/minio-httproute.yaml
+++ b/sources/minio-tenant-config/templates/minio-httproute.yaml
@@ -9,7 +9,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ""
diff --git a/sources/openbao-config/0.1.0/templates/openbao-httproute.yaml b/sources/openbao-config/0.1.0/templates/openbao-httproute.yaml
index a4a4cfb2..fa5f6378 100644
--- a/sources/openbao-config/0.1.0/templates/openbao-httproute.yaml
+++ b/sources/openbao-config/0.1.0/templates/openbao-httproute.yaml
@@ -9,7 +9,7 @@ spec:
- group: gateway.networking.k8s.io
kind: Gateway
name: https
- namespace: kgateway-system
+ namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ''