diff --git a/diffs/helm__envoy-gateway__templates___helpers.tpl.patch b/diffs/helm__envoy-gateway__templates___helpers.tpl.patch
index 9bd6b76..251fe6a 100644
--- a/diffs/helm__envoy-gateway__templates___helpers.tpl.patch
+++ b/diffs/helm__envoy-gateway__templates___helpers.tpl.patch
@@ -1,5 +1,5 @@
diff --git a/vendor/gateway-helm/templates/_helpers.tpl b/helm/envoy-gateway/templates/_helpers.tpl
-index 24e5cbd..105a0cc 100644
+index d9aefc2..2645585 100644
--- a/vendor/gateway-helm/templates/_helpers.tpl
+++ b/helm/envoy-gateway/templates/_helpers.tpl
@@ -40,6 +40,7 @@ helm.sh/chart: {{ include "eg.chart" . }}
@@ -10,3 +10,14 @@ index 24e5cbd..105a0cc 100644
{{- end }}
{{/*
+@@ -65,8 +66,8 @@ Create the name of the service account to use
+ The name of the Envoy Gateway image.
+ */}}
+ {{- define "eg.image" -}}
+-{{- if .Values.deployment.envoyGateway.image.repository }}
+-{{- .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Values.global.images.envoyGateway.tag | default .Chart.AppVersion }}
++{{- if .Values.image.registry }}
++{{- .Values.image.registry }}/{{- .Values.image.repository }}/{{- .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
+ {{- else if .Values.global.images.envoyGateway.image }}
+ {{- .Values.global.images.envoyGateway.image }}
+ {{- else }}
diff --git a/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch
new file mode 100644
index 0000000..9700fad
--- /dev/null
+++ b/diffs/helm__envoy-gateway__templates__certgen-cnp.yaml.patch
@@ -0,0 +1,49 @@
+diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
+new file mode 100644
+index 0000000..2af4f5c
+--- /dev/null
++++ b/helm/envoy-gateway/templates/certgen-cnp.yaml
+@@ -0,0 +1,43 @@
++---
++apiVersion: "cilium.io/v2"
++kind: CiliumNetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}-certgen
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ endpointSelector:
++ matchLabels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ egress:
++ - toEntities:
++ - kube-apiserver
++ - toEndpoints:
++ - matchLabels:
++ k8s:io.kubernetes.pod.namespace: default
++ k8s:k8s-app: kubernetes
++ toPorts:
++ - ports:
++ - port: "443"
++ protocol: TCP
++ - toEndpoints:
++ - matchLabels:
++ k8s:component: kube-apiserver
++ k8s:tier: control-plane
++ - toEndpoints:
++ - matchLabels:
++ k8s:io.kubernetes.pod.namespace: kube-system
++ k8s:k8s-app: kube-dns
++ toPorts:
++ - ports:
++ - port: "53"
++ protocol: UDP
++ - port: "53"
++ protocol: TCP
diff --git a/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch
new file mode 100644
index 0000000..e0b911f
--- /dev/null
+++ b/diffs/helm__envoy-gateway__templates__certgen-netpol.yaml.patch
@@ -0,0 +1,50 @@
+diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
+new file mode 100644
+index 0000000..0e9f09a
+--- /dev/null
++++ b/helm/envoy-gateway/templates/certgen-netpol.yaml
+@@ -0,0 +1,44 @@
++---
++apiVersion: networking.k8s.io/v1
++kind: NetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}-certgen
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ podSelector:
++ matchLabels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ policyTypes:
++ - Ingress
++ - Egress
++ egress:
++ - to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ component: kube-apiserver
++ tier: control-plane
++ - to:
++ - ipBlock:
++ cidr: 172.31.0.1/32
++ ports:
++ - port: 443
++ protocol: TCP
++ - ports:
++ - port: 53
++ protocol: UDP
++ - port: 53
++ protocol: TCP
++ to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ k8s-app: kube-dns
diff --git a/diffs/helm__envoy-gateway__templates__certgen.yaml.patch b/diffs/helm__envoy-gateway__templates__certgen.yaml.patch
deleted file mode 100644
index 88375f5..0000000
--- a/diffs/helm__envoy-gateway__templates__certgen.yaml.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff --git a/vendor/gateway-helm/templates/certgen.yaml b/helm/envoy-gateway/templates/certgen.yaml
-index 78d5ec2..85750a9 100644
---- a/vendor/gateway-helm/templates/certgen.yaml
-+++ b/helm/envoy-gateway/templates/certgen.yaml
-@@ -31,9 +31,15 @@ spec:
- fieldPath: metadata.namespace
- - name: KUBERNETES_CLUSTER_DOMAIN
- value: {{ .Values.kubernetesClusterDomain }}
-- image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
-+ image: {{ printf "%s/%s" .Values.image.registry .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
- imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
- name: envoy-gateway-certgen
-+ securityContext:
-+ allowPrivilegeEscalation: false
-+ capabilities:
-+ drop:
-+ - ALL
-+ readOnlyRootFilesystem: true
- {{- with .Values.certgen.job.resources }}
- resources:
- {{- toYaml . | nindent 10 }}
-@@ -47,6 +53,8 @@ spec:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
-+ seccompProfile:
-+ type: RuntimeDefault
- serviceAccountName: {{ include "eg.fullname" . }}-certgen
- {{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }}
- ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }}
diff --git a/diffs/helm__envoy-gateway__templates__envoy-gateway-cnp.yaml.patch b/diffs/helm__envoy-gateway__templates__envoy-gateway-cnp.yaml.patch
new file mode 100644
index 0000000..daed929
--- /dev/null
+++ b/diffs/helm__envoy-gateway__templates__envoy-gateway-cnp.yaml.patch
@@ -0,0 +1,47 @@
+diff --git a/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
+new file mode 100644
+index 0000000..a44b6ee
+--- /dev/null
++++ b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
+@@ -0,0 +1,41 @@
++---
++apiVersion: "cilium.io/v2"
++kind: CiliumNetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ control-plane: envoy-gateway
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ endpointSelector:
++ matchLabels:
++ control-plane: envoy-gateway
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ egress:
++ - toEntities:
++ - kube-apiserver
++ - cluster
++ - toEndpoints:
++ - matchLabels:
++ k8s:io.kubernetes.pod.namespace: kube-system
++ k8s-app: kube-dns
++ toPorts:
++ - ports:
++ - port: "53"
++ protocol: UDP
++ - port: "53"
++ protocol: TCP
++ ingress:
++ - fromEntities:
++ - cluster
++ toPorts:
++ - ports:
++ {{- range .Values.deployment.envoyGateway.ports }}
++ - port: {{ printf "\"%d\"" .port }}
++ protocol: TCP
++ {{- end }}
diff --git a/diffs/helm__envoy-gateway__templates__envoy-gateway-deployment.yaml.patch b/diffs/helm__envoy-gateway__templates__envoy-gateway-deployment.yaml.patch
deleted file mode 100644
index ed35315..0000000
--- a/diffs/helm__envoy-gateway__templates__envoy-gateway-deployment.yaml.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff --git a/vendor/gateway-helm/templates/envoy-gateway-deployment.yaml b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
-index 1ee5c7f..ecc12fa 100644
---- a/vendor/gateway-helm/templates/envoy-gateway-deployment.yaml
-+++ b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
-@@ -49,7 +49,7 @@ spec:
- fieldPath: metadata.namespace
- - name: KUBERNETES_CLUSTER_DOMAIN
- value: {{ .Values.kubernetesClusterDomain }}
-- image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
-+ image: {{ printf "%s/%s" .Values.image.registry .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
- imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
- livenessProbe:
- httpGet:
-@@ -71,10 +71,13 @@ spec:
- port: 8081
- initialDelaySeconds: 5
- periodSeconds: 10
-- resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10
-- }}
-+ resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
- securityContext:
- allowPrivilegeEscalation: false
-+ capabilities:
-+ drop:
-+ - ALL
-+ readOnlyRootFilesystem: true
- volumeMounts:
- - mountPath: /config
- name: envoy-gateway-config
-@@ -87,7 +90,11 @@ spec:
- {{- toYaml . | nindent 8 }}
- {{- end }}
- securityContext:
-+ runAsGroup: 65534
- runAsNonRoot: true
-+ runAsUser: 65534
-+ seccompProfile:
-+ type: RuntimeDefault
- serviceAccountName: envoy-gateway
- terminationGracePeriodSeconds: 10
- volumes:
diff --git a/diffs/helm__envoy-gateway__templates__envoy-gateway-netpol.yaml.patch b/diffs/helm__envoy-gateway__templates__envoy-gateway-netpol.yaml.patch
new file mode 100644
index 0000000..0c3b2cf
--- /dev/null
+++ b/diffs/helm__envoy-gateway__templates__envoy-gateway-netpol.yaml.patch
@@ -0,0 +1,51 @@
+diff --git a/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
+new file mode 100644
+index 0000000..9d9049d
+--- /dev/null
++++ b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
+@@ -0,0 +1,45 @@
++---
++apiVersion: networking.k8s.io/v1
++kind: NetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ control-plane: envoy-gateway
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ podSelector:
++ matchLabels:
++ control-plane: envoy-gateway
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ policyTypes:
++ - Ingress
++ - Egress
++ egress:
++ - to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ k8s-app: kube-apiserver
++ - to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ k8s-app: kube-dns
++ ports:
++ - port: 53
++ protocol: UDP
++ - port: 53
++ protocol: TCP
++ ingress:
++ - ports:
++ {{- range .Values.deployment.envoyGateway.ports }}
++ - port: {{ .port }}
++ protocol: TCP
++ {{- end }}
++ from:
++ - namespaceSelector: {}
diff --git a/diffs/helm__envoy-gateway__templates__namespace.yaml.patch b/diffs/helm__envoy-gateway__templates__namespace.yaml.patch
new file mode 100644
index 0000000..aef5980
--- /dev/null
+++ b/diffs/helm__envoy-gateway__templates__namespace.yaml.patch
@@ -0,0 +1,12 @@
+diff --git a/helm/envoy-gateway/templates/namespace.yaml b/helm/envoy-gateway/templates/namespace.yaml
+new file mode 100644
+index 0000000..c68c79a
+--- /dev/null
++++ b/helm/envoy-gateway/templates/namespace.yaml
+@@ -0,0 +1,6 @@
++{{ if .Values.createNamespace }}
++apiVersion: v1
++kind: Namespace
++metadata:
++ name: '{{ .Values.namespace }}'
++{{ end }}
diff --git a/diffs/helm__envoy-gateway__values.schema.json.patch b/diffs/helm__envoy-gateway__values.schema.json.patch
index fbfcc4e..c4fa2f8 100644
--- a/diffs/helm__envoy-gateway__values.schema.json.patch
+++ b/diffs/helm__envoy-gateway__values.schema.json.patch
@@ -1,9 +1,9 @@
diff --git a/helm/envoy-gateway/values.schema.json b/helm/envoy-gateway/values.schema.json
new file mode 100644
-index 0000000..f04b004
+index 0000000..ca9733c
--- /dev/null
+++ b/helm/envoy-gateway/values.schema.json
-@@ -0,0 +1,206 @@
+@@ -0,0 +1,362 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
@@ -14,9 +14,15 @@ index 0000000..f04b004
+ "job": {
+ "type": "object",
+ "properties": {
++ "affinity": {
++ "type": "object"
++ },
+ "annotations": {
+ "type": "object"
+ },
++ "nodeSelector": {
++ "type": "object"
++ },
+ "resources": {
+ "type": "object",
+ "properties": {
@@ -41,6 +47,51 @@ index 0000000..f04b004
+ }
+ }
+ },
++ "securityContext": {
++ "type": "object",
++ "properties": {
++ "allowPrivilegeEscalation": {
++ "type": "boolean"
++ },
++ "capabilities": {
++ "type": "object",
++ "properties": {
++ "drop": {
++ "type": "array",
++ "items": {
++ "type": "string"
++ }
++ }
++ }
++ },
++ "privileged": {
++ "type": "boolean"
++ },
++ "readOnlyRootFilesystem": {
++ "type": "boolean"
++ },
++ "runAsGroup": {
++ "type": "integer"
++ },
++ "runAsNonRoot": {
++ "type": "boolean"
++ },
++ "runAsUser": {
++ "type": "integer"
++ },
++ "seccompProfile": {
++ "type": "object",
++ "properties": {
++ "type": {
++ "type": "string"
++ }
++ }
++ }
++ }
++ },
++ "tolerations": {
++ "type": "array"
++ },
+ "ttlSecondsAfterFinished": {
+ "type": "integer"
+ }
@@ -130,9 +181,6 @@ index 0000000..f04b004
+ "limits": {
+ "type": "object",
+ "properties": {
-+ "cpu": {
-+ "type": "string"
-+ },
+ "memory": {
+ "type": "string"
+ }
@@ -150,6 +198,48 @@ index 0000000..f04b004
+ }
+ }
+ }
++ },
++ "securityContext": {
++ "type": "object",
++ "properties": {
++ "allowPrivilegeEscalation": {
++ "type": "boolean"
++ },
++ "capabilities": {
++ "type": "object",
++ "properties": {
++ "drop": {
++ "type": "array",
++ "items": {
++ "type": "string"
++ }
++ }
++ }
++ },
++ "privileged": {
++ "type": "boolean"
++ },
++ "runAsGroup": {
++ "type": "integer"
++ },
++ "runAsNonRoot": {
++ "type": "boolean"
++ },
++ "runAsUser": {
++ "type": "integer"
++ },
++ "readOnlyRootFilesystem": {
++ "type": "boolean"
++ },
++ "seccompProfile": {
++ "type": "object",
++ "properties": {
++ "type": {
++ "type": "string"
++ }
++ }
++ }
++ }
+ }
+ }
+ },
@@ -160,10 +250,27 @@ index 0000000..f04b004
+ "type": "object"
+ },
+ "annotations": {
-+ "type": "object"
++ "type": "object",
++ "properties": {
++ "prometheus.io/port": {
++ "type": "string"
++ },
++ "prometheus.io/scrape": {
++ "type": "string"
++ }
++ }
+ },
+ "labels": {
+ "type": "object"
++ },
++ "nodeSelector": {
++ "type": "object"
++ },
++ "tolerations": {
++ "type": "array"
++ },
++ "topologySpreadConstraints": {
++ "type": "array"
+ }
+ }
+ },
@@ -184,16 +291,49 @@ index 0000000..f04b004
+ }
+ }
+ },
++ "priorityClassName": {
++ "type": "null"
++ },
+ "replicas": {
+ "type": "integer"
+ }
+ }
+ },
-+ "envoyGatewayMetricsService": {
++ "global": {
+ "type": "object",
+ "properties": {
-+ "port": {
-+ "type": "integer"
++ "images": {
++ "type": "object",
++ "properties": {
++ "envoyGateway": {
++ "type": "object",
++ "properties": {
++ "image": {
++ "type": "string"
++ },
++ "pullPolicy": {
++ "type": "string"
++ },
++ "pullSecrets": {
++ "type": "array"
++ }
++ }
++ },
++ "ratelimit": {
++ "type": "object",
++ "properties": {
++ "image": {
++ "type": "string"
++ },
++ "pullPolicy": {
++ "type": "string"
++ },
++ "pullSecrets": {
++ "type": "array"
++ }
++ }
++ }
++ }
+ }
+ }
+ },
@@ -207,6 +347,22 @@ index 0000000..f04b004
+ },
+ "kubernetesClusterDomain": {
+ "type": "string"
++ },
++ "podDisruptionBudget": {
++ "type": "object",
++ "properties": {
++ "minAvailable": {
++ "type": "integer"
++ }
++ }
++ },
++ "service": {
++ "type": "object",
++ "properties": {
++ "annotations": {
++ "type": "object"
++ }
++ }
+ }
+ }
+}
diff --git a/diffs/helm__envoy-gateway__values.yaml.patch b/diffs/helm__envoy-gateway__values.yaml.patch
index 1b23cf3..e9f3718 100644
--- a/diffs/helm__envoy-gateway__values.yaml.patch
+++ b/diffs/helm__envoy-gateway__values.yaml.patch
@@ -1,20 +1,47 @@
diff --git a/vendor/gateway-helm/values.yaml b/helm/envoy-gateway/values.yaml
-index 5ae25f3..a721781 100644
+index 56cf308..b81476e 100644
--- a/vendor/gateway-helm/values.yaml
+++ b/helm/envoy-gateway/values.yaml
-@@ -1,7 +1,10 @@
+@@ -18,15 +18,24 @@ global:
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
++
++name: envoy-gateway
++namespace: envoy-gateway-system
++serviceType: managed
++
+ podDisruptionBudget:
+ minAvailable: 0
+ # maxUnavailable: 1
+
+image:
+ registry: gsoci.azurecr.io
++ repository: giantswarm
+
deployment:
envoyGateway:
image:
-- repository: docker.io/envoyproxy/gateway
+- repository: ""
+- tag: ""
+ name: envoyproxy-gateway
- tag: 'v1.0.2'
- imagePullPolicy: Always
++ tag: 'v1.2.1'
+ imagePullPolicy: ""
imagePullSecrets: []
-@@ -45,7 +48,12 @@ kubernetesClusterDomain: cluster.local
+ resources:
+@@ -44,6 +53,7 @@ deployment:
+ runAsNonRoot: true
+ runAsGroup: 65532
+ runAsUser: 65532
++ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
+ ports:
+@@ -88,11 +98,15 @@ createNamespace: false
+
+ kubernetesClusterDomain: cluster.local
+
+-# -- Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected.
certgen:
job:
annotations: {}
@@ -25,6 +52,6 @@ index 5ae25f3..a721781 100644
+ memory: 100Mi
+ limits:
+ memory: 500Mi
- ttlSecondsAfterFinished: 0
- rbac:
- annotations: {}
+ affinity: {}
+ tolerations: []
+ nodeSelector: {}
diff --git a/helm/envoy-gateway/README.md b/helm/envoy-gateway/README.md
index 901fcf4..1bbdc66 100644
--- a/helm/envoy-gateway/README.md
+++ b/helm/envoy-gateway/README.md
@@ -50,11 +50,22 @@ To uninstall the chart:
| Key | Type | Default | Description |
|-----|------|---------|-------------|
+| certgen.job.affinity | object | `{}` | |
| certgen.job.annotations | object | `{}` | |
+| certgen.job.nodeSelector | object | `{}` | |
| certgen.job.resources.limits.memory | string | `"500Mi"` | |
| certgen.job.resources.requests.cpu | string | `"50m"` | |
| certgen.job.resources.requests.memory | string | `"100Mi"` | |
-| certgen.job.ttlSecondsAfterFinished | int | `0` | |
+| certgen.job.securityContext.allowPrivilegeEscalation | bool | `false` | |
+| certgen.job.securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| certgen.job.securityContext.privileged | bool | `false` | |
+| certgen.job.securityContext.readOnlyRootFilesystem | bool | `true` | |
+| certgen.job.securityContext.runAsGroup | int | `65534` | |
+| certgen.job.securityContext.runAsNonRoot | bool | `true` | |
+| certgen.job.securityContext.runAsUser | int | `65534` | |
+| certgen.job.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
+| certgen.job.tolerations | list | `[]` | |
+| certgen.job.ttlSecondsAfterFinished | int | `30` | |
| certgen.rbac.annotations | object | `{}` | |
| certgen.rbac.labels | object | `{}` | |
| config.envoyGateway.gateway.controllerName | string | `"gateway.envoyproxy.io/gatewayclass-controller"` | |
@@ -62,26 +73,55 @@ To uninstall the chart:
| config.envoyGateway.provider.type | string | `"Kubernetes"` | |
| createNamespace | bool | `false` | |
| deployment.envoyGateway.image.name | string | `"envoyproxy-gateway"` | |
-| deployment.envoyGateway.image.tag | string | `"v1.0.2"` | |
-| deployment.envoyGateway.imagePullPolicy | string | `"Always"` | |
+| deployment.envoyGateway.image.tag | string | `"v1.2.1"` | |
+| deployment.envoyGateway.imagePullPolicy | string | `""` | |
| deployment.envoyGateway.imagePullSecrets | list | `[]` | |
-| deployment.envoyGateway.resources.limits.cpu | string | `"500m"` | |
| deployment.envoyGateway.resources.limits.memory | string | `"1024Mi"` | |
| deployment.envoyGateway.resources.requests.cpu | string | `"100m"` | |
| deployment.envoyGateway.resources.requests.memory | string | `"256Mi"` | |
+| deployment.envoyGateway.securityContext.allowPrivilegeEscalation | bool | `false` | |
+| deployment.envoyGateway.securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| deployment.envoyGateway.securityContext.privileged | bool | `false` | |
+| deployment.envoyGateway.securityContext.readOnlyRootFilesystem | bool | `true` | |
+| deployment.envoyGateway.securityContext.runAsGroup | int | `65532` | |
+| deployment.envoyGateway.securityContext.runAsNonRoot | bool | `true` | |
+| deployment.envoyGateway.securityContext.runAsUser | int | `65532` | |
+| deployment.envoyGateway.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| deployment.pod.affinity | object | `{}` | |
-| deployment.pod.annotations | object | `{}` | |
+| deployment.pod.annotations."prometheus.io/port" | string | `"19001"` | |
+| deployment.pod.annotations."prometheus.io/scrape" | string | `"true"` | |
| deployment.pod.labels | object | `{}` | |
+| deployment.pod.nodeSelector | object | `{}` | |
+| deployment.pod.tolerations | list | `[]` | |
+| deployment.pod.topologySpreadConstraints | list | `[]` | |
| deployment.ports[0].name | string | `"grpc"` | |
| deployment.ports[0].port | int | `18000` | |
| deployment.ports[0].targetPort | int | `18000` | |
| deployment.ports[1].name | string | `"ratelimit"` | |
| deployment.ports[1].port | int | `18001` | |
| deployment.ports[1].targetPort | int | `18001` | |
+| deployment.ports[2].name | string | `"wasm"` | |
+| deployment.ports[2].port | int | `18002` | |
+| deployment.ports[2].targetPort | int | `18002` | |
+| deployment.ports[3].name | string | `"metrics"` | |
+| deployment.ports[3].port | int | `19001` | |
+| deployment.ports[3].targetPort | int | `19001` | |
+| deployment.priorityClassName | string | `nil` | |
| deployment.replicas | int | `1` | |
-| envoyGatewayMetricsService.port | int | `19001` | |
+| global.images.envoyGateway.image | string | `"docker.io/envoyproxy/gateway:v1.2.1"` | |
+| global.images.envoyGateway.pullPolicy | string | `"IfNotPresent"` | |
+| global.images.envoyGateway.pullSecrets | list | `[]` | |
+| global.images.ratelimit.image | string | `"docker.io/envoyproxy/ratelimit:master"` | |
+| global.images.ratelimit.pullPolicy | string | `"IfNotPresent"` | |
+| global.images.ratelimit.pullSecrets | list | `[]` | |
| image.registry | string | `"gsoci.azurecr.io"` | |
+| image.repository | string | `"giantswarm"` | |
| kubernetesClusterDomain | string | `"cluster.local"` | |
+| name | string | `"envoy-gateway"` | |
+| namespace | string | `"envoy-gateway-system"` | |
+| podDisruptionBudget.minAvailable | int | `0` | |
+| service.annotations | object | `{}` | |
+| serviceType | string | `"managed"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/helm/envoy-gateway/crds/gatewayapi-crds.yaml b/helm/envoy-gateway/crds/gatewayapi-crds.yaml
index bbb71f1..5759595 100644
--- a/helm/envoy-gateway/crds/gatewayapi-crds.yaml
+++ b/helm/envoy-gateway/crds/gatewayapi-crds.yaml
@@ -1,4 +1,4 @@
-# Copyright 2023 The Kubernetes Authors.
+# Copyright 2024 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,30 +17,30 @@
#
---
#
-# config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
+# config/crd/experimental/gateway.networking.k8s.io_backendlbpolicies.yaml
#
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
labels:
gateway.networking.k8s.io/policy: Direct
- name: backendtlspolicies.gateway.networking.k8s.io
+ name: backendlbpolicies.gateway.networking.k8s.io
spec:
group: gateway.networking.k8s.io
names:
categories:
- gateway-api
- kind: BackendTLSPolicy
- listKind: BackendTLSPolicyList
- plural: backendtlspolicies
+ kind: BackendLBPolicy
+ listKind: BackendLBPolicyList
+ plural: backendlbpolicies
shortNames:
- - btlspolicy
- singular: backendtlspolicy
+ - blbpolicy
+ singular: backendlbpolicy
scope: Namespaced
versions:
- additionalPrinterColumns:
@@ -50,109 +50,660 @@ spec:
name: v1alpha2
schema:
openAPIV3Schema:
- description: BackendTLSPolicy provides a way to configure how a Gateway connects
- to a Backend via TLS.
+ description: |-
+ BackendLBPolicy provides a way to define load balancing rules
+ for a backend.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
- description: Spec defines the desired state of BackendTLSPolicy.
+ description: Spec defines the desired state of BackendLBPolicy.
properties:
- targetRef:
- description: "TargetRef identifies an API object to apply the policy
- to. Only Services have Extended support. Implementations MAY support
- additional objects, with Implementation Specific support. Note that
- this config applies to the entire referenced resource by default,
- but this default may change in the future to provide a more granular
- application of the policy. \n Support: Extended for Kubernetes Service
- \n Support: Implementation-specific for any other resource"
+ sessionPersistence:
+ description: |-
+ SessionPersistence defines and configures session persistence
+ for the backend.
+
+ Support: Extended
properties:
- group:
- description: Group is the group of the target resource.
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: Kind is kind of the target resource.
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
- name:
- description: Name is the name of the target resource.
- maxLength: 253
- minLength: 1
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
+
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
+
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
+
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
+
+ Support: Core for "Session" type
+
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
- namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
+
+ Support: Implementation-specific
+ maxLength: 128
type: string
- sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
+
+ Support: Core for "Cookie" type
+
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
type: string
- required:
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
+ targetRefs:
+ description: |-
+ TargetRef identifies an API object to apply policy to.
+ Currently, Backends (i.e. Service, ServiceImport, or any
+ implementation-specific backendRef) are the only valid API
+ target references.
+ items:
+ description: |-
+ LocalPolicyTargetReference identifies an API object to apply a direct or
+ inherited policy to. This should be used as part of Policy resources
+ that can target Gateway API resources. For more information on how this
+ policy attachment model works, and a sample Policy resource, refer to
+ the policy attachment documentation for Gateway API.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
- group
- kind
- name
+ x-kubernetes-list-type: map
+ required:
+ - targetRefs
+ type: object
+ status:
+ description: Status defines the current state of BackendLBPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
+---
+#
+# config/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml
+#
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
+ gateway.networking.k8s.io/channel: experimental
+ creationTimestamp: null
+ labels:
+ gateway.networking.k8s.io/policy: Direct
+ name: backendtlspolicies.gateway.networking.k8s.io
+spec:
+ group: gateway.networking.k8s.io
+ names:
+ categories:
+ - gateway-api
+ kind: BackendTLSPolicy
+ listKind: BackendTLSPolicyList
+ plural: backendtlspolicies
+ shortNames:
+ - btlspolicy
+ singular: backendtlspolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ description: |-
+ BackendTLSPolicy provides a way to configure how a Gateway
+ connects to a Backend via TLS.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of BackendTLSPolicy.
+ properties:
+ options:
+ additionalProperties:
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
+ maxLength: 4096
+ minLength: 0
+ type: string
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
+ maxProperties: 16
type: object
- tls:
- description: TLS contains backend TLS policy configuration.
+ targetRefs:
+ description: |-
+ TargetRefs identifies an API object to apply the policy to.
+ Only Services have Extended support. Implementations MAY support
+ additional objects, with Implementation Specific support.
+ Note that this config applies to the entire referenced resource
+ by default, but this default may change in the future to provide
+ a more granular application of the policy.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ validation:
+ description: Validation contains backend TLS validation configuration.
properties:
- caCertRefs:
- description: "CACertRefs contains one or more references to Kubernetes
- objects that contain a PEM-encoded TLS CA certificate bundle,
- which is used to validate a TLS handshake between the Gateway
- and backend Pod. \n If CACertRefs is empty or unspecified, then
- WellKnownCACerts must be specified. Only one of CACertRefs or
- WellKnownCACerts may be specified, not both. If CACertRefs is
- empty or unspecified, the configuration for WellKnownCACerts
- MUST be honored instead. \n References to a resource in a different
- namespace are invalid for the moment, although we will revisit
- this in the future. \n A single CACertRef to a Kubernetes ConfigMap
- kind has \"Core\" support. Implementations MAY choose to support
- attaching multiple certificates to a backend, but this behavior
- is implementation-specific. \n Support: Core - An optional single
- reference to a Kubernetes ConfigMap, with the CA certificate
- in a key named `ca.crt`. \n Support: Implementation-specific
- (More than one reference, or other kinds of resources)."
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to Kubernetes objects that
+ contain a PEM-encoded TLS CA certificate bundle, which is used to
+ validate a TLS handshake between the Gateway and backend Pod.
+
+ If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be
+ specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified,
+ not both. If CACertifcateRefs is empty or unspecified, the configuration for
+ WellKnownCACertificates MUST be honored instead if supported by the implementation.
+
+ References to a resource in a different namespace are invalid for the
+ moment, although we will revisit this in the future.
+
+ A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a backend, but this behavior is implementation-specific.
+
+ Support: Core - An optional single reference to a Kubernetes ConfigMap,
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one reference, or other kinds
+ of resources).
items:
- description: "LocalObjectReference identifies an API object
- within the namespace of the referrer. The API object must
- be valid in the cluster; the Group and Kind must be registered
- in the cluster for this reference to be valid. \n References
- to objects with invalid Group and Kind are not valid, and
- must be rejected by the implementation, with appropriate Conditions
- set on the containing object."
+ description: |-
+ LocalObjectReference identifies an API object within the namespace of the
+ referrer.
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
properties:
group:
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -176,22 +727,96 @@ spec:
maxItems: 8
type: array
hostname:
- description: "Hostname is used for two purposes in the connection
- between Gateways and backends: \n 1. Hostname MUST be used as
- the SNI to connect to the backend (RFC 6066). 2. Hostname MUST
- be used for authentication and MUST match the certificate served
- by the matching backend. \n Support: Core"
+ description: |-
+ Hostname is used for two purposes in the connection between Gateways and
+ backends:
+
+ 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
+ 2. If SubjectAltNames is not specified, Hostname MUST be used for
+ authentication and MUST match the certificate served by the matching
+ backend.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- wellKnownCACerts:
- description: "WellKnownCACerts specifies whether system CA certificates
- may be used in the TLS handshake between the gateway and backend
- pod. \n If WellKnownCACerts is unspecified or empty (\"\"),
- then CACertRefs must be specified with at least one entry for
- a valid configuration. Only one of CACertRefs or WellKnownCACerts
- may be specified, not both. \n Support: Core for \"System\""
+ subjectAltNames:
+ description: |-
+ SubjectAltNames contains one or more Subject Alternative Names.
+ When specified, the certificate served from the backend MUST have at least one
+ Subject Alternate Name matching one of the specified SubjectAltNames.
+
+ Support: Core
+ items:
+ description: SubjectAltName represents Subject Alternative Name.
+ properties:
+ hostname:
+ description: |-
+ Hostname contains Subject Alternative Name specified in DNS name format.
+ Required when Type is set to Hostname, ignored otherwise.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ type:
+ description: |-
+ Type determines the format of the Subject Alternative Name. Always required.
+
+ Support: Core
+ enum:
+ - Hostname
+ - URI
+ type: string
+ uri:
+ description: |-
+ URI contains Subject Alternative Name specified in a full URI format.
+ It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part.
+ Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa".
+ Required when Type is set to URI, ignored otherwise.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: SubjectAltName element must contain Hostname, if
+ Type is set to Hostname
+ rule: '!(self.type == "Hostname" && (!has(self.hostname) ||
+ self.hostname == ""))'
+ - message: SubjectAltName element must not contain Hostname,
+ if Type is not set to Hostname
+ rule: '!(self.type != "Hostname" && has(self.hostname) &&
+ self.hostname != "")'
+ - message: SubjectAltName element must contain URI, if Type
+ is set to URI
+ rule: '!(self.type == "URI" && (!has(self.uri) || self.uri
+ == ""))'
+ - message: SubjectAltName element must not contain URI, if Type
+ is not set to URI
+ rule: '!(self.type != "URI" && has(self.uri) && self.uri !=
+ "")'
+ maxItems: 5
+ type: array
+ wellKnownCACertificates:
+ description: |-
+ WellKnownCACertificates specifies whether system CA certificates may be used in
+ the TLS handshake between the gateway and backend pod.
+
+ If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs
+ must be specified with at least one entry for a valid configuration. Only one of
+ CACertificateRefs or WellKnownCACertificates may be specified, not both. If an
+ implementation does not support the WellKnownCACertificates field or the value
+ supplied is not supported, the Status Conditions on the Policy MUST be
+ updated to include an Accepted: False Condition with Reason: Invalid.
+
+ Support: Implementation-specific
enum:
- System
type: string
@@ -199,183 +824,215 @@ spec:
- hostname
type: object
x-kubernetes-validations:
- - message: must not contain both CACertRefs and WellKnownCACerts
- rule: '!(has(self.caCertRefs) && size(self.caCertRefs) > 0 && has(self.wellKnownCACerts)
- && self.wellKnownCACerts != "")'
- - message: must specify either CACertRefs or WellKnownCACerts
- rule: (has(self.caCertRefs) && size(self.caCertRefs) > 0 || has(self.wellKnownCACerts)
- && self.wellKnownCACerts != "")
+ - message: must not contain both CACertificateRefs and WellKnownCACertificates
+ rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")'
+ - message: must specify either CACertificateRefs or WellKnownCACertificates
+ rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs)
+ > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates
+ != "")
required:
- - targetRef
- - tls
+ - targetRefs
+ - validation
type: object
status:
description: Status defines the current state of BackendTLSPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -387,47 +1044,36 @@ spec:
description: Conditions describes the status of the Policy with
respect to the given Ancestor.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -442,11 +1088,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -464,16 +1105,20 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
@@ -508,8 +1153,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gatewayclasses.gateway.networking.k8s.io
@@ -543,29 +1188,39 @@ spec:
name: v1
schema:
openAPIV3Schema:
- description: "GatewayClass describes a class of Gateways available to the
- user for creating Gateway resources. \n It is recommended that this resource
- be used as a template for Gateways. This means that a Gateway is based on
- the state of the GatewayClass at the time it was created and changes to
- the GatewayClass or associated parameters are not propagated down to existing
- Gateways. This recommendation is intended to limit the blast radius of changes
- to GatewayClass or associated parameters. If implementations choose to propagate
- GatewayClass changes to existing Gateways, that MUST be clearly documented
- by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
- implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io`
- finalizer on the associated GatewayClass. This ensures that a GatewayClass
- associated with a Gateway is not deleted while in use. \n GatewayClass is
- a Cluster level resource."
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -573,10 +1228,15 @@ spec:
description: Spec defines the desired state of GatewayClass.
properties:
controllerName:
- description: "ControllerName is the name of the controller that is
- managing Gateways of this class. The value of this field MUST be
- a domain prefixed path. \n Example: \"example.net/gateway-controller\".
- \n This field is not mutable and cannot be empty. \n Support: Core"
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
@@ -589,14 +1249,25 @@ spec:
maxLength: 64
type: string
parametersRef:
- description: "ParametersRef is a reference to a resource that contains
- the configuration parameters corresponding to the GatewayClass.
- This is optional if the controller does not require any additional
- configuration. \n ParametersRef can reference a standard Kubernetes
- resource, i.e. ConfigMap, or an implementation-specific custom resource.
- The resource can be cluster-scoped or namespace-scoped. \n If the
- referent cannot be found, the GatewayClass's \"InvalidParameters\"
- status condition will be true. \n Support: Implementation-specific"
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
properties:
group:
description: Group is the group of the referent.
@@ -615,9 +1286,10 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. This
- field is required when referring to a Namespace-scoped resource
- and MUST be unset when referring to a Cluster-scoped resource.
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -635,12 +1307,14 @@ spec:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
- reason: Waiting
+ reason: Pending
status: Unknown
type: Accepted
- description: "Status defines the current state of GatewayClass. \n Implementations
- MUST populate status on all GatewayClass resources which specify their
- controller name."
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
properties:
conditions:
default:
@@ -649,47 +1323,42 @@ spec:
reason: Pending
status: Unknown
type: Accepted
- description: "Conditions is the current status from the controller
- for this GatewayClass. \n Controllers should prefer to publish conditions
- using values of GatewayClassConditionType for the type of each Condition."
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -704,10 +1373,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -724,40 +1389,30 @@ spec:
- type
x-kubernetes-list-type: map
supportedFeatures:
- description: 'SupportedFeatures is the set of features the GatewayClass
- support. It MUST be sorted in ascending alphabetical order. '
+ description: |
+ SupportedFeatures is the set of features the GatewayClass support.
+ It MUST be sorted in ascending alphabetical order by the Name key.
items:
- description: SupportedFeature is used to describe distinct features
- that are covered by conformance tests.
- enum:
- - Gateway
- - GatewayPort8080
- - GatewayStaticAddresses
- - HTTPRoute
- - HTTPRouteDestinationPortMatching
- - HTTPRouteHostRewrite
- - HTTPRouteMethodMatching
- - HTTPRoutePathRedirect
- - HTTPRoutePathRewrite
- - HTTPRoutePortRedirect
- - HTTPRouteQueryParamMatching
- - HTTPRouteRequestMirror
- - HTTPRouteRequestMultipleMirrors
- - HTTPRouteResponseHeaderModification
- - HTTPRouteSchemeRedirect
- - Mesh
- - ReferenceGrant
- - TLSRoute
- type: string
+ properties:
+ name:
+ description: |-
+ FeatureName is used to describe distinct features that are covered by
+ conformance tests.
+ type: string
+ required:
+ - name
+ type: object
maxItems: 64
type: array
- x-kubernetes-list-type: set
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
@@ -777,29 +1432,39 @@ spec:
name: v1beta1
schema:
openAPIV3Schema:
- description: "GatewayClass describes a class of Gateways available to the
- user for creating Gateway resources. \n It is recommended that this resource
- be used as a template for Gateways. This means that a Gateway is based on
- the state of the GatewayClass at the time it was created and changes to
- the GatewayClass or associated parameters are not propagated down to existing
- Gateways. This recommendation is intended to limit the blast radius of changes
- to GatewayClass or associated parameters. If implementations choose to propagate
- GatewayClass changes to existing Gateways, that MUST be clearly documented
- by the implementation. \n Whenever one or more Gateways are using a GatewayClass,
- implementations SHOULD add the `gateway-exists-finalizer.gateway.networking.k8s.io`
- finalizer on the associated GatewayClass. This ensures that a GatewayClass
- associated with a Gateway is not deleted while in use. \n GatewayClass is
- a Cluster level resource."
+ description: |-
+ GatewayClass describes a class of Gateways available to the user for creating
+ Gateway resources.
+
+ It is recommended that this resource be used as a template for Gateways. This
+ means that a Gateway is based on the state of the GatewayClass at the time it
+ was created and changes to the GatewayClass or associated parameters are not
+ propagated down to existing Gateways. This recommendation is intended to
+ limit the blast radius of changes to GatewayClass or associated parameters.
+ If implementations choose to propagate GatewayClass changes to existing
+ Gateways, that MUST be clearly documented by the implementation.
+
+ Whenever one or more Gateways are using a GatewayClass, implementations SHOULD
+ add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the
+ associated GatewayClass. This ensures that a GatewayClass associated with a
+ Gateway is not deleted while in use.
+
+ GatewayClass is a Cluster level resource.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -807,10 +1472,15 @@ spec:
description: Spec defines the desired state of GatewayClass.
properties:
controllerName:
- description: "ControllerName is the name of the controller that is
- managing Gateways of this class. The value of this field MUST be
- a domain prefixed path. \n Example: \"example.net/gateway-controller\".
- \n This field is not mutable and cannot be empty. \n Support: Core"
+ description: |-
+ ControllerName is the name of the controller that is managing Gateways of
+ this class. The value of this field MUST be a domain prefixed path.
+
+ Example: "example.net/gateway-controller".
+
+ This field is not mutable and cannot be empty.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
@@ -823,14 +1493,25 @@ spec:
maxLength: 64
type: string
parametersRef:
- description: "ParametersRef is a reference to a resource that contains
- the configuration parameters corresponding to the GatewayClass.
- This is optional if the controller does not require any additional
- configuration. \n ParametersRef can reference a standard Kubernetes
- resource, i.e. ConfigMap, or an implementation-specific custom resource.
- The resource can be cluster-scoped or namespace-scoped. \n If the
- referent cannot be found, the GatewayClass's \"InvalidParameters\"
- status condition will be true. \n Support: Implementation-specific"
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the GatewayClass. This is optional if the
+ controller does not require any additional configuration.
+
+ ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap,
+ or an implementation-specific custom resource. The resource can be
+ cluster-scoped or namespace-scoped.
+
+ If the referent cannot be found, refers to an unsupported kind, or when
+ the data within that resource is malformed, the GatewayClass SHOULD be
+ rejected with the "Accepted" status condition set to "False" and an
+ "InvalidParameters" reason.
+
+ A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
properties:
group:
description: Group is the group of the referent.
@@ -849,9 +1530,10 @@ spec:
minLength: 1
type: string
namespace:
- description: Namespace is the namespace of the referent. This
- field is required when referring to a Namespace-scoped resource
- and MUST be unset when referring to a Cluster-scoped resource.
+ description: |-
+ Namespace is the namespace of the referent.
+ This field is required when referring to a Namespace-scoped resource and
+ MUST be unset when referring to a Cluster-scoped resource.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -869,12 +1551,14 @@ spec:
conditions:
- lastTransitionTime: "1970-01-01T00:00:00Z"
message: Waiting for controller
- reason: Waiting
+ reason: Pending
status: Unknown
type: Accepted
- description: "Status defines the current state of GatewayClass. \n Implementations
- MUST populate status on all GatewayClass resources which specify their
- controller name."
+ description: |-
+ Status defines the current state of GatewayClass.
+
+ Implementations MUST populate status on all GatewayClass resources which
+ specify their controller name.
properties:
conditions:
default:
@@ -883,47 +1567,42 @@ spec:
reason: Pending
status: Unknown
type: Accepted
- description: "Conditions is the current status from the controller
- for this GatewayClass. \n Controllers should prefer to publish conditions
- using values of GatewayClassConditionType for the type of each Condition."
+ description: |-
+ Conditions is the current status from the controller for
+ this GatewayClass.
+
+ Controllers should prefer to publish conditions using values
+ of GatewayClassConditionType for the type of each Condition.
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -938,10 +1617,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -958,40 +1633,30 @@ spec:
- type
x-kubernetes-list-type: map
supportedFeatures:
- description: 'SupportedFeatures is the set of features the GatewayClass
- support. It MUST be sorted in ascending alphabetical order. '
+ description: |
+ SupportedFeatures is the set of features the GatewayClass support.
+ It MUST be sorted in ascending alphabetical order by the Name key.
items:
- description: SupportedFeature is used to describe distinct features
- that are covered by conformance tests.
- enum:
- - Gateway
- - GatewayPort8080
- - GatewayStaticAddresses
- - HTTPRoute
- - HTTPRouteDestinationPortMatching
- - HTTPRouteHostRewrite
- - HTTPRouteMethodMatching
- - HTTPRoutePathRedirect
- - HTTPRoutePathRewrite
- - HTTPRoutePortRedirect
- - HTTPRouteQueryParamMatching
- - HTTPRouteRequestMirror
- - HTTPRouteRequestMultipleMirrors
- - HTTPRouteResponseHeaderModification
- - HTTPRouteSchemeRedirect
- - Mesh
- - ReferenceGrant
- - TLSRoute
- type: string
+ properties:
+ name:
+ description: |-
+ FeatureName is used to describe distinct features that are covered by
+ conformance tests.
+ type: string
+ required:
+ - name
+ type: object
maxItems: 64
type: array
- x-kubernetes-list-type: set
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
type: object
required:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
status:
@@ -1008,8 +1673,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: gateways.gateway.networking.k8s.io
@@ -1042,18 +1707,24 @@ spec:
name: v1
schema:
openAPIV3Schema:
- description: Gateway represents an instance of a service-traffic handling
- infrastructure by binding Listeners to a set of IP addresses.
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1061,20 +1732,28 @@ spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
- description: "Addresses requested for this Gateway. This is optional
- and behavior can depend on the implementation. If a value is set
- in the spec and the requested address is invalid or unavailable,
- the implementation MUST indicate this in the associated entry in
- GatewayStatus.Addresses. \n The Addresses field represents a request
- for the address(es) on the \"outside of the Gateway\", that traffic
- bound for this Gateway will use. This could be the IP address or
- hostname of an external load balancer or other networking infrastructure,
- or some other address that traffic will be sent to. \n If no Addresses
- are specified, the implementation MAY schedule the Gateway in an
- implementation-specific manner, assigning an appropriate set of
- Addresses. \n The implementation MUST bind all Listeners to every
- GatewayAddress that it assigns to the Gateway and add a corresponding
- entry in GatewayStatus.Addresses. \n Support: Extended \n "
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
@@ -1101,9 +1780,11 @@ spec:
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
- description: "Value of the address. The validity of the values
- will depend on the type and support by the controller. \n
- Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
maxLength: 253
minLength: 1
type: string
@@ -1124,180 +1805,357 @@ spec:
- message: Hostname values must be unique
rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
+ backendTLS:
+ description: |+
+ BackendTLS configures TLS settings for when this Gateway is connecting to
+ backends with TLS.
+
+ Support: Core
+
+ properties:
+ clientCertificateRef:
+ description: |+
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ This setting can be overridden on the service level by use of BackendTLSPolicy.
+
+ Support: Core
+
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: object
gatewayClassName:
- description: GatewayClassName used for this Gateway. This is the name
- of a GatewayClass resource.
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
maxLength: 253
minLength: 1
type: string
infrastructure:
- description: "Infrastructure defines infrastructure level attributes
- about this Gateway instance. \n Support: Core \n "
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
properties:
annotations:
additionalProperties:
- description: AnnotationValue is the value of an annotation in
- Gateway API. This is used for validation of maps such as TLS
- options. This roughly matches Kubernetes annotation validation,
- although the length validation in that case is based on the
- entire size of the annotations struct.
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
- description: "Annotations that SHOULD be applied to any resources
- created in response to this Gateway. \n For implementations
- creating other Kubernetes objects, this should be the `metadata.annotations`
- field on resources. For other implementations, this refers to
- any relevant (implementation specific) \"annotations\" concepts.
- \n An implementation may chose to add additional implementation-specific
- annotations as they see fit. \n Support: Extended"
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
maxProperties: 8
type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
labels:
additionalProperties:
- description: AnnotationValue is the value of an annotation in
- Gateway API. This is used for validation of maps such as TLS
- options. This roughly matches Kubernetes annotation validation,
- although the length validation in that case is based on the
- entire size of the annotations struct.
- maxLength: 4096
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
type: string
- description: "Labels that SHOULD be applied to any resources created
- in response to this Gateway. \n For implementations creating
- other Kubernetes objects, this should be the `metadata.labels`
- field on resources. For other implementations, this refers to
- any relevant (implementation specific) \"labels\" concepts.
- \n An implementation may chose to add additional implementation-specific
- labels as they see fit. \n Support: Extended"
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
maxProperties: 8
type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
type: object
listeners:
- description: "Listeners associated with this Gateway. Listeners define
- logical endpoints that are bound on this Gateway's addresses. At
- least one Listener MUST be specified. \n Each Listener in a set
- of Listeners (for example, in a single Gateway) MUST be _distinct_,
- in that a traffic flow MUST be able to be assigned to exactly one
- listener. (This section uses \"set of Listeners\" rather than \"Listeners
- in a single Gateway\" because implementations MAY merge configuration
- from multiple Gateways onto a single data plane, and these rules
- _also_ apply in that case). \n Practically, this means that each
- listener in a set MUST have a unique combination of Port, Protocol,
- and, if supported by the protocol, Hostname. \n Some combinations
- of port, protocol, and TLS settings are considered Core support
- and MUST be supported by implementations based on their targeted
- conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
- Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
- Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
- 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
- have the following property: \n The implementation can match inbound
- requests to a single distinct Listener. When multiple Listeners
- share values for fields (for example, two Listeners with the same
- Port value), the implementation can match requests to only one of
- the Listeners using other Listener fields. \n For example, the following
- Listener scenarios are distinct: \n 1. Multiple Listeners with the
- same Port that all use the \"HTTP\" Protocol that all have unique
- Hostname values. 2. Multiple Listeners with the same Port that use
- either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
- values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
- where no Listener with the same Protocol has the same Port value.
- \n Some fields in the Listener struct have possible values that
- affect whether the Listener is distinct. Hostname is particularly
- relevant for HTTP or HTTPS protocols. \n When using the Hostname
- value to select between same-Port, same-Protocol Listeners, the
- Hostname value must be different on each Listener for the Listener
- to be distinct. \n When the Listeners are distinct based on Hostname,
- inbound request hostnames MUST match from the most specific to least
- specific Hostname values to choose the correct Listener and its
- associated set of Routes. \n Exact matches must be processed before
- wildcard matches, and wildcard matches must be processed before
- fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
- takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
- takes precedence over `\"\"`. \n Additionally, if there are multiple
- wildcard entries, more specific wildcard entries must be processed
- before less specific wildcard entries. For example, `\"*.foo.example.com\"`
- takes precedence over `\"*.example.com\"`. The precise definition
- here is that the higher the number of dots in the hostname to the
- right of the wildcard character, the higher the precedence. \n The
- wildcard character will match any number of characters _and dots_
- to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
- _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
- that are not distinct, then those Listeners are Conflicted, and
- the implementation MUST set the \"Conflicted\" condition in the
- Listener Status to \"True\". \n Implementations MAY choose to accept
- a Gateway with some Conflicted Listeners only if they only accept
- the partial Listener set that contains no Conflicted Listeners.
- To put this another way, implementations may accept a partial Listener
- set only if they throw out *all* the conflicting Listeners. No picking
- one of the conflicting listeners as the winner. This also means
- that the Gateway must have at least one non-conflicting Listener
- in this case, otherwise it violates the requirement that at least
- one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
- condition on the Gateway Status when the Gateway contains Conflicted
- Listeners whether or not they accept the Gateway. That Condition
- SHOULD clearly indicate in the Message which Listeners are conflicted,
- and which are Accepted. Additionally, the Listener status for those
- listeners SHOULD indicate which Listeners are conflicted and not
- Accepted. \n A Gateway's Listeners are considered \"compatible\"
- if: \n 1. They are distinct. 2. The implementation can serve them
- in compliance with the Addresses requirement that all Listeners
- are available on all assigned addresses. \n Compatible combinations
- in Extended support are expected to vary across implementations.
- A combination that is compatible for one implementation may not
- be compatible for another. \n For example, an implementation that
- cannot serve both TCP and UDP listeners on the same address, or
- cannot mix HTTPS and generic TLS listens on the same port would
- not consider those cases compatible, even though they are distinct.
- \n Note that requests SHOULD match at most one Listener. For example,
- if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
- a request to \"foo.example.com\" SHOULD only be routed using routes
- attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
- Listener). This concept is known as \"Listener Isolation\". Implementations
- that do not support Listener Isolation MUST clearly document this.
- \n Implementations MAY merge separate Gateways onto a single set
- of Addresses if all Listeners across all Gateways are compatible.
- \n Support: Core"
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
items:
- description: Listener embodies the concept of a logical endpoint
- where a Gateway accepts network connections.
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
properties:
allowedRoutes:
default:
namespaces:
from: Same
- description: "AllowedRoutes defines the types of routes that
- MAY be attached to a Listener and the trusted namespaces where
- those Route resources MAY be present. \n Although a client
- request may match multiple route rules, only one rule may
- ultimately receive the request. Matching precedence MUST be
- determined in order of the following criteria: \n * The most
- specific match as defined by the Route type. * The oldest
- Route based on creation timestamp. For example, a Route with
- a creation timestamp of \"2020-09-08 01:02:03\" is given precedence
- over a Route with a creation timestamp of \"2020-09-08 01:02:04\".
- * If everything else is equivalent, the Route appearing first
- in alphabetical order (namespace/name) should be given precedence.
- For example, foo/bar is given precedence over foo/baz. \n
- All valid rules within a Route attached to this Listener should
- be implemented. Invalid Route rules can be ignored (sometimes
- that will mean the full Route). If a Route rule transitions
- from valid to invalid, support for that Route rule should
- be dropped to ensure consistency. For example, even if a filter
- specified by a Route rule is invalid, the rest of the rules
- within that Route should still be supported. \n Support: Core"
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
properties:
kinds:
- description: "Kinds specifies the groups and kinds of Routes
- that are allowed to bind to this Gateway Listener. When
- unspecified or empty, the kinds of Routes selected are
- determined using the Listener protocol. \n A RouteGroupKind
- MUST correspond to kinds of Routes that are compatible
- with the application protocol specified in the Listener's
- Protocol field. If an implementation does not support
- or recognize this resource type, it MUST set the \"ResolvedRefs\"
- condition to False for this Listener with the \"InvalidRouteKinds\"
- reason. \n Support: Core"
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
items:
description: RouteGroupKind indicates the group and kind
of a Route resource.
@@ -1322,173 +2180,200 @@ spec:
namespaces:
default:
from: Same
- description: "Namespaces indicates namespaces from which
- Routes may be attached to this Listener. This is restricted
- to the namespace of this Gateway by default. \n Support:
- Core"
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
properties:
from:
default: Same
- description: "From indicates where Routes will be selected
- for this Gateway. Possible values are: \n * All: Routes
- in all namespaces may be used by this Gateway. * Selector:
- Routes in namespaces selected by the selector may
- be used by this Gateway. * Same: Only Routes in the
- same namespace may be used by this Gateway. \n Support:
- Core"
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
enum:
- All
- Selector
- Same
type: string
selector:
- description: "Selector must be specified when From is
- set to \"Selector\". In that case, only Routes in
- Namespaces matching this Selector will be selected
- by this Gateway. This field is ignored for other values
- of \"From\". \n Support: Core"
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
type: object
hostname:
- description: "Hostname specifies the virtual hostname to match
- for protocol types that define this concept. When unspecified,
- all hostnames are matched. This field is ignored for protocols
- that don't require hostname based matching. \n Implementations
- MUST apply Hostname matching appropriately for each of the
- following protocols: \n * TLS: The Listener Hostname MUST
- match the SNI. * HTTP: The Listener Hostname MUST match the
- Host header of the request. * HTTPS: The Listener Hostname
- SHOULD match at both the TLS and HTTP protocol layers as described
- above. If an implementation does not ensure that both the
- SNI and Host header match the Listener hostname, it MUST clearly
- document that. \n For HTTPRoute and TLSRoute resources, there
- is an interaction with the `spec.hostnames` array. When both
- listener and route specify hostnames, there MUST be an intersection
- between the values for a Route to be accepted. For more information,
- refer to the Route specific Hostnames documentation. \n Hostnames
- that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com`
- would match both `test.example.com`, and `foo.test.example.com`,
- but not `example.com`. \n Support: Core"
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
name:
- description: "Name is the name of the Listener. This name MUST
- be unique within a Gateway. \n Support: Core"
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
- description: "Port is the network port. Multiple listeners may
- use the same port, subject to the Listener compatibility rules.
- \n Support: Core"
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
- description: "Protocol specifies the network protocol this listener
- expects to receive. \n Support: Core"
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
maxLength: 255
minLength: 1
- pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
type: string
tls:
- description: "TLS is the TLS configuration for the Listener.
- This field is required if the Protocol field is \"HTTPS\"
- or \"TLS\". It is invalid to set this field if the Protocol
- field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
- of SNIs to Certificate defined in GatewayTLSConfig is defined
- based on the Hostname field for this listener. \n The GatewayClass
- MUST use the longest matching SNI out of all available certificates
- for any TLS handshake. \n Support: Core"
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
properties:
certificateRefs:
- description: "CertificateRefs contains a series of references
- to Kubernetes objects that contains TLS certificates and
- private keys. These certificates are used to establish
- a TLS handshake for requests that match the hostname of
- the associated listener. \n A single CertificateRef to
- a Kubernetes Secret has \"Core\" support. Implementations
- MAY choose to support attaching multiple certificates
- to a Listener, but this behavior is implementation-specific.
- \n References to a resource in different namespace are
- invalid UNLESS there is a ReferenceGrant in the target
- namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the
- \"ResolvedRefs\" condition MUST be set to False for this
- listener with the \"RefNotPermitted\" reason. \n This
- field is required to have at least one element when the
- mode is set to \"Terminate\" (default) and is optional
- otherwise. \n CertificateRefs can reference to standard
- Kubernetes resources, i.e. Secret, or implementation-specific
- custom resources. \n Support: Core - A single reference
- to a Kubernetes Secret of type kubernetes.io/tls \n Support:
- Implementation-specific (More than one reference or other
- resource types)"
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
items:
- description: "SecretObjectReference identifies an API
- object including its namespace, defaulting to Secret.
- \n The API object must be valid in the cluster; the
- Group and Kind must be registered in the cluster for
- this reference to be valid. \n References to objects
- with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate
- Conditions set on the containing object."
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
properties:
group:
default: ""
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -1506,14 +2391,16 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is
- inferred. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace to
- allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -1523,49 +2410,143 @@ spec:
type: object
maxItems: 64
type: array
+ frontendValidation:
+ description: |+
+ FrontendValidation holds configuration information for validating the frontend (client).
+ Setting this field will require clients to send a client certificate
+ required for validation during the TLS handshake. In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Extended
+
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one reference, or other kinds
+ of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ type: object
mode:
default: Terminate
- description: "Mode defines the TLS behavior for the TLS
- session initiated by the client. There are two possible
- modes: \n - Terminate: The TLS session between the downstream
- client and the Gateway is terminated at the Gateway. This
- mode requires certificateRefs to be set and contain at
- least one element. - Passthrough: The TLS session is NOT
- terminated by the Gateway. This implies that the Gateway
- can't decipher the TLS stream except for the ClientHello
- message of the TLS protocol. CertificateRefs field is
- ignored in this mode. \n Support: Core"
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
enum:
- Terminate
- Passthrough
type: string
options:
additionalProperties:
- description: AnnotationValue is the value of an annotation
- in Gateway API. This is used for validation of maps
- such as TLS options. This roughly matches Kubernetes
- annotation validation, although the length validation
- in that case is based on the entire size of the annotations
- struct.
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
- description: "Options are a list of key/value pairs to enable
- extended TLS configuration for each implementation. For
- example, configuring the minimum TLS version or supported
- cipher suites. \n A set of common keys MAY be defined
- by the API in the future. To avoid any ambiguity, implementation-specific
- definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
- Un-prefixed names are reserved for key names defined by
- Gateway API. \n Support: Implementation-specific"
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
maxProperties: 16
type: object
type: object
x-kubernetes-validations:
- - message: certificateRefs must be specified when TLSModeType
- is Terminate
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
- > 0 : true'
+ > 0 || size(self.options) > 0 : true'
required:
- name
- port
@@ -1578,13 +2559,13 @@ spec:
- name
x-kubernetes-list-type: map
x-kubernetes-validations:
- - message: tls must be specified for protocols ['HTTPS', 'TLS']
- rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls)
- : true)'
- message: tls must not be specified for protocols ['HTTP', 'TCP',
'UDP']
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
!has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
|| l.hostname == '''') : true)'
@@ -1615,12 +2596,17 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
- description: "Addresses lists the network addresses that have been
- bound to the Gateway. \n This list may differ from the addresses
- provided in the spec under some conditions: \n * no addresses are
- specified, all addresses are dynamically assigned * a combination
- of specified and dynamic addresses are assigned * a specified address
- was unusable (e.g. already in use) \n "
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
items:
description: GatewayStatusAddress describes a network address that
is bound to a Gateway.
@@ -1647,9 +2633,11 @@ spec:
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
- description: "Value of the address. The validity of the values
- will depend on the type and support by the controller. \n
- Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
maxLength: 253
minLength: 1
type: string
@@ -1675,50 +2663,49 @@ spec:
reason: Pending
status: Unknown
type: Programmed
- description: "Conditions describe the current conditions of the Gateway.
- \n Implementations should prefer to express Gateway conditions using
- the `GatewayConditionType` and `GatewayConditionReason` constants
- so that operators and tools can converge on a common vocabulary
- to describe Gateway state. \n Known condition types are: \n * \"Accepted\"
- * \"Programmed\" * \"Ready\""
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -1733,10 +2720,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1759,70 +2742,60 @@ spec:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
- description: "AttachedRoutes represents the total number of
- Routes that have been successfully attached to this Listener.
- \n Successful attachment of a Route to a Listener is based
- solely on the combination of the AllowedRoutes field on the
- corresponding Listener and the Route's ParentRefs field. A
- Route is successfully attached to a Listener when it is selected
- by the Listener's AllowedRoutes field AND the Route has a
- valid ParentRef selecting the whole Gateway resource or a
- specific Listener as a parent resource (more detail on attachment
- semantics can be found in the documentation on the various
- Route kinds ParentRefs fields). Listener or Route status does
- not impact successful attachment, i.e. the AttachedRoutes
- field count MUST be set for Listeners with condition Accepted:
- false and MUST count successfully attached Routes that may
- themselves have Accepted: false conditions. \n Uses for this
- field include troubleshooting Route attachment and measuring
- blast radius/impact of changes to a Listener."
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
format: int32
type: integer
conditions:
description: Conditions describe the current condition of this
listener.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -1837,11 +2810,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1865,15 +2833,16 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
supportedKinds:
- description: "SupportedKinds is the list indicating the Kinds
- supported by this listener. This MUST represent the kinds
- an implementation supports for that Listener configuration.
- \n If kinds are specified in Spec that are not supported,
- they MUST NOT appear in this list and an implementation MUST
- set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
- reason. If both valid and invalid Route kinds are specified,
- the implementation MUST reference the valid Route kinds that
- have been specified."
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
items:
description: RouteGroupKind indicates the group and kind of
a Route resource.
@@ -1911,7 +2880,7 @@ spec:
- spec
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
@@ -1930,18 +2899,24 @@ spec:
name: v1beta1
schema:
openAPIV3Schema:
- description: Gateway represents an instance of a service-traffic handling
- infrastructure by binding Listeners to a set of IP addresses.
+ description: |-
+ Gateway represents an instance of a service-traffic handling infrastructure
+ by binding Listeners to a set of IP addresses.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -1949,20 +2924,28 @@ spec:
description: Spec defines the desired state of Gateway.
properties:
addresses:
- description: "Addresses requested for this Gateway. This is optional
- and behavior can depend on the implementation. If a value is set
- in the spec and the requested address is invalid or unavailable,
- the implementation MUST indicate this in the associated entry in
- GatewayStatus.Addresses. \n The Addresses field represents a request
- for the address(es) on the \"outside of the Gateway\", that traffic
- bound for this Gateway will use. This could be the IP address or
- hostname of an external load balancer or other networking infrastructure,
- or some other address that traffic will be sent to. \n If no Addresses
- are specified, the implementation MAY schedule the Gateway in an
- implementation-specific manner, assigning an appropriate set of
- Addresses. \n The implementation MUST bind all Listeners to every
- GatewayAddress that it assigns to the Gateway and add a corresponding
- entry in GatewayStatus.Addresses. \n Support: Extended \n "
+ description: |+
+ Addresses requested for this Gateway. This is optional and behavior can
+ depend on the implementation. If a value is set in the spec and the
+ requested address is invalid or unavailable, the implementation MUST
+ indicate this in the associated entry in GatewayStatus.Addresses.
+
+ The Addresses field represents a request for the address(es) on the
+ "outside of the Gateway", that traffic bound for this Gateway will use.
+ This could be the IP address or hostname of an external load balancer or
+ other networking infrastructure, or some other address that traffic will
+ be sent to.
+
+ If no Addresses are specified, the implementation MAY schedule the
+ Gateway in an implementation-specific manner, assigning an appropriate
+ set of Addresses.
+
+ The implementation MUST bind all Listeners to every GatewayAddress that
+ it assigns to the Gateway and add a corresponding entry in
+ GatewayStatus.Addresses.
+
+ Support: Extended
+
items:
description: GatewayAddress describes an address that can be bound
to a Gateway.
@@ -1989,9 +2972,11 @@ spec:
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
- description: "Value of the address. The validity of the values
- will depend on the type and support by the controller. \n
- Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
maxLength: 253
minLength: 1
type: string
@@ -2012,180 +2997,357 @@ spec:
- message: Hostname values must be unique
rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2,
a2.type == a1.type && a2.value == a1.value) : true )'
+ backendTLS:
+ description: |+
+ BackendTLS configures TLS settings for when this Gateway is connecting to
+ backends with TLS.
+
+ Support: Core
+
+ properties:
+ clientCertificateRef:
+ description: |+
+ ClientCertificateRef is a reference to an object that contains a Client
+ Certificate and the associated private key.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ ClientCertificateRef can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ This setting can be overridden on the service level by use of BackendTLSPolicy.
+
+ Support: Core
+
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ type: object
gatewayClassName:
- description: GatewayClassName used for this Gateway. This is the name
- of a GatewayClass resource.
+ description: |-
+ GatewayClassName used for this Gateway. This is the name of a
+ GatewayClass resource.
maxLength: 253
minLength: 1
type: string
infrastructure:
- description: "Infrastructure defines infrastructure level attributes
- about this Gateway instance. \n Support: Core \n "
+ description: |-
+ Infrastructure defines infrastructure level attributes about this Gateway instance.
+
+ Support: Extended
properties:
annotations:
additionalProperties:
- description: AnnotationValue is the value of an annotation in
- Gateway API. This is used for validation of maps such as TLS
- options. This roughly matches Kubernetes annotation validation,
- although the length validation in that case is based on the
- entire size of the annotations struct.
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
- description: "Annotations that SHOULD be applied to any resources
- created in response to this Gateway. \n For implementations
- creating other Kubernetes objects, this should be the `metadata.annotations`
- field on resources. For other implementations, this refers to
- any relevant (implementation specific) \"annotations\" concepts.
- \n An implementation may chose to add additional implementation-specific
- annotations as they see fit. \n Support: Extended"
+ description: |-
+ Annotations that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "annotations" concepts.
+
+ An implementation may chose to add additional implementation-specific annotations as they see fit.
+
+ Support: Extended
maxProperties: 8
type: object
+ x-kubernetes-validations:
+ - message: Annotation keys must be in the form of an optional
+ DNS subdomain prefix followed by a required name segment of
+ up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the annotation key's prefix must be a
+ DNS subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
labels:
additionalProperties:
- description: AnnotationValue is the value of an annotation in
- Gateway API. This is used for validation of maps such as TLS
- options. This roughly matches Kubernetes annotation validation,
- although the length validation in that case is based on the
- entire size of the annotations struct.
- maxLength: 4096
+ description: |-
+ LabelValue is the value of a label in the Gateway API. This is used for validation
+ of maps such as Gateway infrastructure labels. This matches the Kubernetes
+ label validation rules:
+ * must be 63 characters or less (can be empty),
+ * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]),
+ * could contain dashes (-), underscores (_), dots (.), and alphanumerics between.
+
+ Valid values include:
+
+ * MyValue
+ * my.name
+ * 123-my-value
+ maxLength: 63
minLength: 0
+ pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
type: string
- description: "Labels that SHOULD be applied to any resources created
- in response to this Gateway. \n For implementations creating
- other Kubernetes objects, this should be the `metadata.labels`
- field on resources. For other implementations, this refers to
- any relevant (implementation specific) \"labels\" concepts.
- \n An implementation may chose to add additional implementation-specific
- labels as they see fit. \n Support: Extended"
+ description: |-
+ Labels that SHOULD be applied to any resources created in response to this Gateway.
+
+ For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources.
+ For other implementations, this refers to any relevant (implementation specific) "labels" concepts.
+
+ An implementation may chose to add additional implementation-specific labels as they see fit.
+
+ If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels
+ change, it SHOULD clearly warn about this behavior in documentation.
+
+ Support: Extended
maxProperties: 8
type: object
+ x-kubernetes-validations:
+ - message: Label keys must be in the form of an optional DNS subdomain
+ prefix followed by a required name segment of up to 63 characters.
+ rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$"""))
+ - message: If specified, the label key's prefix must be a DNS
+ subdomain not longer than 253 characters in total.
+ rule: self.all(key, key.split("/")[0].size() < 253)
+ parametersRef:
+ description: |-
+ ParametersRef is a reference to a resource that contains the configuration
+ parameters corresponding to the Gateway. This is optional if the
+ controller does not require any additional configuration.
+
+ This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis
+
+ The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified,
+ the merging behavior is implementation specific.
+ It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway.
+
+ Support: Implementation-specific
+ properties:
+ group:
+ description: Group is the group of the referent.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
type: object
listeners:
- description: "Listeners associated with this Gateway. Listeners define
- logical endpoints that are bound on this Gateway's addresses. At
- least one Listener MUST be specified. \n Each Listener in a set
- of Listeners (for example, in a single Gateway) MUST be _distinct_,
- in that a traffic flow MUST be able to be assigned to exactly one
- listener. (This section uses \"set of Listeners\" rather than \"Listeners
- in a single Gateway\" because implementations MAY merge configuration
- from multiple Gateways onto a single data plane, and these rules
- _also_ apply in that case). \n Practically, this means that each
- listener in a set MUST have a unique combination of Port, Protocol,
- and, if supported by the protocol, Hostname. \n Some combinations
- of port, protocol, and TLS settings are considered Core support
- and MUST be supported by implementations based on their targeted
- conformance profile: \n HTTP Profile \n 1. HTTPRoute, Port: 80,
- Protocol: HTTP 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode:
- Terminate, TLS keypair provided \n TLS Profile \n 1. TLSRoute, Port:
- 443, Protocol: TLS, TLS Mode: Passthrough \n \"Distinct\" Listeners
- have the following property: \n The implementation can match inbound
- requests to a single distinct Listener. When multiple Listeners
- share values for fields (for example, two Listeners with the same
- Port value), the implementation can match requests to only one of
- the Listeners using other Listener fields. \n For example, the following
- Listener scenarios are distinct: \n 1. Multiple Listeners with the
- same Port that all use the \"HTTP\" Protocol that all have unique
- Hostname values. 2. Multiple Listeners with the same Port that use
- either the \"HTTPS\" or \"TLS\" Protocol that all have unique Hostname
- values. 3. A mixture of \"TCP\" and \"UDP\" Protocol Listeners,
- where no Listener with the same Protocol has the same Port value.
- \n Some fields in the Listener struct have possible values that
- affect whether the Listener is distinct. Hostname is particularly
- relevant for HTTP or HTTPS protocols. \n When using the Hostname
- value to select between same-Port, same-Protocol Listeners, the
- Hostname value must be different on each Listener for the Listener
- to be distinct. \n When the Listeners are distinct based on Hostname,
- inbound request hostnames MUST match from the most specific to least
- specific Hostname values to choose the correct Listener and its
- associated set of Routes. \n Exact matches must be processed before
- wildcard matches, and wildcard matches must be processed before
- fallback (empty Hostname value) matches. For example, `\"foo.example.com\"`
- takes precedence over `\"*.example.com\"`, and `\"*.example.com\"`
- takes precedence over `\"\"`. \n Additionally, if there are multiple
- wildcard entries, more specific wildcard entries must be processed
- before less specific wildcard entries. For example, `\"*.foo.example.com\"`
- takes precedence over `\"*.example.com\"`. The precise definition
- here is that the higher the number of dots in the hostname to the
- right of the wildcard character, the higher the precedence. \n The
- wildcard character will match any number of characters _and dots_
- to the left, however, so `\"*.example.com\"` will match both `\"foo.bar.example.com\"`
- _and_ `\"bar.example.com\"`. \n If a set of Listeners contains Listeners
- that are not distinct, then those Listeners are Conflicted, and
- the implementation MUST set the \"Conflicted\" condition in the
- Listener Status to \"True\". \n Implementations MAY choose to accept
- a Gateway with some Conflicted Listeners only if they only accept
- the partial Listener set that contains no Conflicted Listeners.
- To put this another way, implementations may accept a partial Listener
- set only if they throw out *all* the conflicting Listeners. No picking
- one of the conflicting listeners as the winner. This also means
- that the Gateway must have at least one non-conflicting Listener
- in this case, otherwise it violates the requirement that at least
- one Listener must be present. \n The implementation MUST set a \"ListenersNotValid\"
- condition on the Gateway Status when the Gateway contains Conflicted
- Listeners whether or not they accept the Gateway. That Condition
- SHOULD clearly indicate in the Message which Listeners are conflicted,
- and which are Accepted. Additionally, the Listener status for those
- listeners SHOULD indicate which Listeners are conflicted and not
- Accepted. \n A Gateway's Listeners are considered \"compatible\"
- if: \n 1. They are distinct. 2. The implementation can serve them
- in compliance with the Addresses requirement that all Listeners
- are available on all assigned addresses. \n Compatible combinations
- in Extended support are expected to vary across implementations.
- A combination that is compatible for one implementation may not
- be compatible for another. \n For example, an implementation that
- cannot serve both TCP and UDP listeners on the same address, or
- cannot mix HTTPS and generic TLS listens on the same port would
- not consider those cases compatible, even though they are distinct.
- \n Note that requests SHOULD match at most one Listener. For example,
- if Listeners are defined for \"foo.example.com\" and \"*.example.com\",
- a request to \"foo.example.com\" SHOULD only be routed using routes
- attached to the \"foo.example.com\" Listener (and not the \"*.example.com\"
- Listener). This concept is known as \"Listener Isolation\". Implementations
- that do not support Listener Isolation MUST clearly document this.
- \n Implementations MAY merge separate Gateways onto a single set
- of Addresses if all Listeners across all Gateways are compatible.
- \n Support: Core"
+ description: |-
+ Listeners associated with this Gateway. Listeners define
+ logical endpoints that are bound on this Gateway's addresses.
+ At least one Listener MUST be specified.
+
+ Each Listener in a set of Listeners (for example, in a single Gateway)
+ MUST be _distinct_, in that a traffic flow MUST be able to be assigned to
+ exactly one listener. (This section uses "set of Listeners" rather than
+ "Listeners in a single Gateway" because implementations MAY merge configuration
+ from multiple Gateways onto a single data plane, and these rules _also_
+ apply in that case).
+
+ Practically, this means that each listener in a set MUST have a unique
+ combination of Port, Protocol, and, if supported by the protocol, Hostname.
+
+ Some combinations of port, protocol, and TLS settings are considered
+ Core support and MUST be supported by implementations based on their
+ targeted conformance profile:
+
+ HTTP Profile
+
+ 1. HTTPRoute, Port: 80, Protocol: HTTP
+ 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided
+
+ TLS Profile
+
+ 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough
+
+ "Distinct" Listeners have the following property:
+
+ The implementation can match inbound requests to a single distinct
+ Listener. When multiple Listeners share values for fields (for
+ example, two Listeners with the same Port value), the implementation
+ can match requests to only one of the Listeners using other
+ Listener fields.
+
+ For example, the following Listener scenarios are distinct:
+
+ 1. Multiple Listeners with the same Port that all use the "HTTP"
+ Protocol that all have unique Hostname values.
+ 2. Multiple Listeners with the same Port that use either the "HTTPS" or
+ "TLS" Protocol that all have unique Hostname values.
+ 3. A mixture of "TCP" and "UDP" Protocol Listeners, where no Listener
+ with the same Protocol has the same Port value.
+
+ Some fields in the Listener struct have possible values that affect
+ whether the Listener is distinct. Hostname is particularly relevant
+ for HTTP or HTTPS protocols.
+
+ When using the Hostname value to select between same-Port, same-Protocol
+ Listeners, the Hostname value must be different on each Listener for the
+ Listener to be distinct.
+
+ When the Listeners are distinct based on Hostname, inbound request
+ hostnames MUST match from the most specific to least specific Hostname
+ values to choose the correct Listener and its associated set of Routes.
+
+ Exact matches must be processed before wildcard matches, and wildcard
+ matches must be processed before fallback (empty Hostname value)
+ matches. For example, `"foo.example.com"` takes precedence over
+ `"*.example.com"`, and `"*.example.com"` takes precedence over `""`.
+
+ Additionally, if there are multiple wildcard entries, more specific
+ wildcard entries must be processed before less specific wildcard entries.
+ For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`.
+ The precise definition here is that the higher the number of dots in the
+ hostname to the right of the wildcard character, the higher the precedence.
+
+ The wildcard character will match any number of characters _and dots_ to
+ the left, however, so `"*.example.com"` will match both
+ `"foo.bar.example.com"` _and_ `"bar.example.com"`.
+
+ If a set of Listeners contains Listeners that are not distinct, then those
+ Listeners are Conflicted, and the implementation MUST set the "Conflicted"
+ condition in the Listener Status to "True".
+
+ Implementations MAY choose to accept a Gateway with some Conflicted
+ Listeners only if they only accept the partial Listener set that contains
+ no Conflicted Listeners. To put this another way, implementations may
+ accept a partial Listener set only if they throw out *all* the conflicting
+ Listeners. No picking one of the conflicting listeners as the winner.
+ This also means that the Gateway must have at least one non-conflicting
+ Listener in this case, otherwise it violates the requirement that at
+ least one Listener must be present.
+
+ The implementation MUST set a "ListenersNotValid" condition on the
+ Gateway Status when the Gateway contains Conflicted Listeners whether or
+ not they accept the Gateway. That Condition SHOULD clearly
+ indicate in the Message which Listeners are conflicted, and which are
+ Accepted. Additionally, the Listener status for those listeners SHOULD
+ indicate which Listeners are conflicted and not Accepted.
+
+ A Gateway's Listeners are considered "compatible" if:
+
+ 1. They are distinct.
+ 2. The implementation can serve them in compliance with the Addresses
+ requirement that all Listeners are available on all assigned
+ addresses.
+
+ Compatible combinations in Extended support are expected to vary across
+ implementations. A combination that is compatible for one implementation
+ may not be compatible for another.
+
+ For example, an implementation that cannot serve both TCP and UDP listeners
+ on the same address, or cannot mix HTTPS and generic TLS listens on the same port
+ would not consider those cases compatible, even though they are distinct.
+
+ Note that requests SHOULD match at most one Listener. For example, if
+ Listeners are defined for "foo.example.com" and "*.example.com", a
+ request to "foo.example.com" SHOULD only be routed using routes attached
+ to the "foo.example.com" Listener (and not the "*.example.com" Listener).
+ This concept is known as "Listener Isolation". Implementations that do
+ not support Listener Isolation MUST clearly document this.
+
+ Implementations MAY merge separate Gateways onto a single set of
+ Addresses if all Listeners across all Gateways are compatible.
+
+ Support: Core
items:
- description: Listener embodies the concept of a logical endpoint
- where a Gateway accepts network connections.
+ description: |-
+ Listener embodies the concept of a logical endpoint where a Gateway accepts
+ network connections.
properties:
allowedRoutes:
default:
namespaces:
from: Same
- description: "AllowedRoutes defines the types of routes that
- MAY be attached to a Listener and the trusted namespaces where
- those Route resources MAY be present. \n Although a client
- request may match multiple route rules, only one rule may
- ultimately receive the request. Matching precedence MUST be
- determined in order of the following criteria: \n * The most
- specific match as defined by the Route type. * The oldest
- Route based on creation timestamp. For example, a Route with
- a creation timestamp of \"2020-09-08 01:02:03\" is given precedence
- over a Route with a creation timestamp of \"2020-09-08 01:02:04\".
- * If everything else is equivalent, the Route appearing first
- in alphabetical order (namespace/name) should be given precedence.
- For example, foo/bar is given precedence over foo/baz. \n
- All valid rules within a Route attached to this Listener should
- be implemented. Invalid Route rules can be ignored (sometimes
- that will mean the full Route). If a Route rule transitions
- from valid to invalid, support for that Route rule should
- be dropped to ensure consistency. For example, even if a filter
- specified by a Route rule is invalid, the rest of the rules
- within that Route should still be supported. \n Support: Core"
+ description: |-
+ AllowedRoutes defines the types of routes that MAY be attached to a
+ Listener and the trusted namespaces where those Route resources MAY be
+ present.
+
+ Although a client request may match multiple route rules, only one rule
+ may ultimately receive the request. Matching precedence MUST be
+ determined in order of the following criteria:
+
+ * The most specific match as defined by the Route type.
+ * The oldest Route based on creation timestamp. For example, a Route with
+ a creation timestamp of "2020-09-08 01:02:03" is given precedence over
+ a Route with a creation timestamp of "2020-09-08 01:02:04".
+ * If everything else is equivalent, the Route appearing first in
+ alphabetical order (namespace/name) should be given precedence. For
+ example, foo/bar is given precedence over foo/baz.
+
+ All valid rules within a Route attached to this Listener should be
+ implemented. Invalid Route rules can be ignored (sometimes that will mean
+ the full Route). If a Route rule transitions from valid to invalid,
+ support for that Route rule should be dropped to ensure consistency. For
+ example, even if a filter specified by a Route rule is invalid, the rest
+ of the rules within that Route should still be supported.
+
+ Support: Core
properties:
kinds:
- description: "Kinds specifies the groups and kinds of Routes
- that are allowed to bind to this Gateway Listener. When
- unspecified or empty, the kinds of Routes selected are
- determined using the Listener protocol. \n A RouteGroupKind
- MUST correspond to kinds of Routes that are compatible
- with the application protocol specified in the Listener's
- Protocol field. If an implementation does not support
- or recognize this resource type, it MUST set the \"ResolvedRefs\"
- condition to False for this Listener with the \"InvalidRouteKinds\"
- reason. \n Support: Core"
+ description: |-
+ Kinds specifies the groups and kinds of Routes that are allowed to bind
+ to this Gateway Listener. When unspecified or empty, the kinds of Routes
+ selected are determined using the Listener protocol.
+
+ A RouteGroupKind MUST correspond to kinds of Routes that are compatible
+ with the application protocol specified in the Listener's Protocol field.
+ If an implementation does not support or recognize this resource type, it
+ MUST set the "ResolvedRefs" condition to False for this Listener with the
+ "InvalidRouteKinds" reason.
+
+ Support: Core
items:
description: RouteGroupKind indicates the group and kind
of a Route resource.
@@ -2210,173 +3372,200 @@ spec:
namespaces:
default:
from: Same
- description: "Namespaces indicates namespaces from which
- Routes may be attached to this Listener. This is restricted
- to the namespace of this Gateway by default. \n Support:
- Core"
+ description: |-
+ Namespaces indicates namespaces from which Routes may be attached to this
+ Listener. This is restricted to the namespace of this Gateway by default.
+
+ Support: Core
properties:
from:
default: Same
- description: "From indicates where Routes will be selected
- for this Gateway. Possible values are: \n * All: Routes
- in all namespaces may be used by this Gateway. * Selector:
- Routes in namespaces selected by the selector may
- be used by this Gateway. * Same: Only Routes in the
- same namespace may be used by this Gateway. \n Support:
- Core"
+ description: |-
+ From indicates where Routes will be selected for this Gateway. Possible
+ values are:
+
+ * All: Routes in all namespaces may be used by this Gateway.
+ * Selector: Routes in namespaces selected by the selector may be used by
+ this Gateway.
+ * Same: Only Routes in the same namespace may be used by this Gateway.
+
+ Support: Core
enum:
- All
- Selector
- Same
type: string
selector:
- description: "Selector must be specified when From is
- set to \"Selector\". In that case, only Routes in
- Namespaces matching this Selector will be selected
- by this Gateway. This field is ignored for other values
- of \"From\". \n Support: Core"
+ description: |-
+ Selector must be specified when From is set to "Selector". In that case,
+ only Routes in Namespaces matching this Selector will be selected by this
+ Gateway. This field is ignored for other values of "From".
+
+ Support: Core
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
- description: A label selector requirement is a
- selector that contains values, a key, and an
- operator that relates the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
- description: operator represents a key's relationship
- to a set of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of string
- values. If the operator is In or NotIn,
- the values array must be non-empty. If the
- operator is Exists or DoesNotExist, the
- values array must be empty. This array is
- replaced during a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In",
- and the values array contains only "value". The
- requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
type: object
hostname:
- description: "Hostname specifies the virtual hostname to match
- for protocol types that define this concept. When unspecified,
- all hostnames are matched. This field is ignored for protocols
- that don't require hostname based matching. \n Implementations
- MUST apply Hostname matching appropriately for each of the
- following protocols: \n * TLS: The Listener Hostname MUST
- match the SNI. * HTTP: The Listener Hostname MUST match the
- Host header of the request. * HTTPS: The Listener Hostname
- SHOULD match at both the TLS and HTTP protocol layers as described
- above. If an implementation does not ensure that both the
- SNI and Host header match the Listener hostname, it MUST clearly
- document that. \n For HTTPRoute and TLSRoute resources, there
- is an interaction with the `spec.hostnames` array. When both
- listener and route specify hostnames, there MUST be an intersection
- between the values for a Route to be accepted. For more information,
- refer to the Route specific Hostnames documentation. \n Hostnames
- that are prefixed with a wildcard label (`*.`) are interpreted
- as a suffix match. That means that a match for `*.example.com`
- would match both `test.example.com`, and `foo.test.example.com`,
- but not `example.com`. \n Support: Core"
+ description: |-
+ Hostname specifies the virtual hostname to match for protocol types that
+ define this concept. When unspecified, all hostnames are matched. This
+ field is ignored for protocols that don't require hostname based
+ matching.
+
+ Implementations MUST apply Hostname matching appropriately for each of
+ the following protocols:
+
+ * TLS: The Listener Hostname MUST match the SNI.
+ * HTTP: The Listener Hostname MUST match the Host header of the request.
+ * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP
+ protocol layers as described above. If an implementation does not
+ ensure that both the SNI and Host header match the Listener hostname,
+ it MUST clearly document that.
+
+ For HTTPRoute and TLSRoute resources, there is an interaction with the
+ `spec.hostnames` array. When both listener and route specify hostnames,
+ there MUST be an intersection between the values for a Route to be
+ accepted. For more information, refer to the Route specific Hostnames
+ documentation.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
name:
- description: "Name is the name of the Listener. This name MUST
- be unique within a Gateway. \n Support: Core"
+ description: |-
+ Name is the name of the Listener. This name MUST be unique within a
+ Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
port:
- description: "Port is the network port. Multiple listeners may
- use the same port, subject to the Listener compatibility rules.
- \n Support: Core"
+ description: |-
+ Port is the network port. Multiple listeners may use the
+ same port, subject to the Listener compatibility rules.
+
+ Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
- description: "Protocol specifies the network protocol this listener
- expects to receive. \n Support: Core"
+ description: |-
+ Protocol specifies the network protocol this listener expects to receive.
+
+ Support: Core
maxLength: 255
minLength: 1
- pattern: ^[a-zA-Z0-9]([-a-zSA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
+ pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$
type: string
tls:
- description: "TLS is the TLS configuration for the Listener.
- This field is required if the Protocol field is \"HTTPS\"
- or \"TLS\". It is invalid to set this field if the Protocol
- field is \"HTTP\", \"TCP\", or \"UDP\". \n The association
- of SNIs to Certificate defined in GatewayTLSConfig is defined
- based on the Hostname field for this listener. \n The GatewayClass
- MUST use the longest matching SNI out of all available certificates
- for any TLS handshake. \n Support: Core"
+ description: |-
+ TLS is the TLS configuration for the Listener. This field is required if
+ the Protocol field is "HTTPS" or "TLS". It is invalid to set this field
+ if the Protocol field is "HTTP", "TCP", or "UDP".
+
+ The association of SNIs to Certificate defined in GatewayTLSConfig is
+ defined based on the Hostname field for this listener.
+
+ The GatewayClass MUST use the longest matching SNI out of all
+ available certificates for any TLS handshake.
+
+ Support: Core
properties:
certificateRefs:
- description: "CertificateRefs contains a series of references
- to Kubernetes objects that contains TLS certificates and
- private keys. These certificates are used to establish
- a TLS handshake for requests that match the hostname of
- the associated listener. \n A single CertificateRef to
- a Kubernetes Secret has \"Core\" support. Implementations
- MAY choose to support attaching multiple certificates
- to a Listener, but this behavior is implementation-specific.
- \n References to a resource in different namespace are
- invalid UNLESS there is a ReferenceGrant in the target
- namespace that allows the certificate to be attached.
- If a ReferenceGrant does not allow this reference, the
- \"ResolvedRefs\" condition MUST be set to False for this
- listener with the \"RefNotPermitted\" reason. \n This
- field is required to have at least one element when the
- mode is set to \"Terminate\" (default) and is optional
- otherwise. \n CertificateRefs can reference to standard
- Kubernetes resources, i.e. Secret, or implementation-specific
- custom resources. \n Support: Core - A single reference
- to a Kubernetes Secret of type kubernetes.io/tls \n Support:
- Implementation-specific (More than one reference or other
- resource types)"
+ description: |-
+ CertificateRefs contains a series of references to Kubernetes objects that
+ contains TLS certificates and private keys. These certificates are used to
+ establish a TLS handshake for requests that match the hostname of the
+ associated listener.
+
+ A single CertificateRef to a Kubernetes Secret has "Core" support.
+ Implementations MAY choose to support attaching multiple certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+
+ This field is required to have at least one element when the mode is set
+ to "Terminate" (default) and is optional otherwise.
+
+ CertificateRefs can reference to standard Kubernetes resources, i.e.
+ Secret, or implementation-specific custom resources.
+
+ Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls
+
+ Support: Implementation-specific (More than one reference or other resource types)
items:
- description: "SecretObjectReference identifies an API
- object including its namespace, defaulting to Secret.
- \n The API object must be valid in the cluster; the
- Group and Kind must be registered in the cluster for
- this reference to be valid. \n References to objects
- with invalid Group and Kind are not valid, and must
- be rejected by the implementation, with appropriate
- Conditions set on the containing object."
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
properties:
group:
default: ""
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -2394,14 +3583,16 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is
- inferred. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace to
- allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -2411,49 +3602,143 @@ spec:
type: object
maxItems: 64
type: array
+ frontendValidation:
+ description: |+
+ FrontendValidation holds configuration information for validating the frontend (client).
+ Setting this field will require clients to send a client certificate
+ required for validation during the TLS handshake. In browsers this may result in a dialog appearing
+ that requests a user to specify the client certificate.
+ The maximum depth of a certificate chain accepted in verification is Implementation specific.
+
+ Support: Extended
+
+ properties:
+ caCertificateRefs:
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single CA certificate reference to a Kubernetes ConfigMap
+ has "Core" support.
+ Implementations MAY choose to support attaching multiple CA certificates to
+ a Listener, but this behavior is implementation-specific.
+
+ Support: Core - A single reference to a Kubernetes ConfigMap
+ with the CA certificate in a key named `ca.crt`.
+
+ Support: Implementation-specific (More than one reference, or other kinds
+ of resources).
+
+ References to a resource in a different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached. If a ReferenceGrant does not allow this reference, the
+ "ResolvedRefs" condition MUST be set to False for this listener with the
+ "RefNotPermitted" reason.
+ items:
+ description: |-
+ ObjectReference identifies an API object including its namespace.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For
+ example "ConfigMap" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ type: object
mode:
default: Terminate
- description: "Mode defines the TLS behavior for the TLS
- session initiated by the client. There are two possible
- modes: \n - Terminate: The TLS session between the downstream
- client and the Gateway is terminated at the Gateway. This
- mode requires certificateRefs to be set and contain at
- least one element. - Passthrough: The TLS session is NOT
- terminated by the Gateway. This implies that the Gateway
- can't decipher the TLS stream except for the ClientHello
- message of the TLS protocol. CertificateRefs field is
- ignored in this mode. \n Support: Core"
+ description: |-
+ Mode defines the TLS behavior for the TLS session initiated by the client.
+ There are two possible modes:
+
+ - Terminate: The TLS session between the downstream client and the
+ Gateway is terminated at the Gateway. This mode requires certificates
+ to be specified in some way, such as populating the certificateRefs
+ field.
+ - Passthrough: The TLS session is NOT terminated by the Gateway. This
+ implies that the Gateway can't decipher the TLS stream except for
+ the ClientHello message of the TLS protocol. The certificateRefs field
+ is ignored in this mode.
+
+ Support: Core
enum:
- Terminate
- Passthrough
type: string
options:
additionalProperties:
- description: AnnotationValue is the value of an annotation
- in Gateway API. This is used for validation of maps
- such as TLS options. This roughly matches Kubernetes
- annotation validation, although the length validation
- in that case is based on the entire size of the annotations
- struct.
+ description: |-
+ AnnotationValue is the value of an annotation in Gateway API. This is used
+ for validation of maps such as TLS options. This roughly matches Kubernetes
+ annotation validation, although the length validation in that case is based
+ on the entire size of the annotations struct.
maxLength: 4096
minLength: 0
type: string
- description: "Options are a list of key/value pairs to enable
- extended TLS configuration for each implementation. For
- example, configuring the minimum TLS version or supported
- cipher suites. \n A set of common keys MAY be defined
- by the API in the future. To avoid any ambiguity, implementation-specific
- definitions MUST use domain-prefixed names, such as `example.com/my-custom-option`.
- Un-prefixed names are reserved for key names defined by
- Gateway API. \n Support: Implementation-specific"
+ description: |-
+ Options are a list of key/value pairs to enable extended TLS
+ configuration for each implementation. For example, configuring the
+ minimum TLS version or supported cipher suites.
+
+ A set of common keys MAY be defined by the API in the future. To avoid
+ any ambiguity, implementation-specific definitions MUST use
+ domain-prefixed names, such as `example.com/my-custom-option`.
+ Un-prefixed names are reserved for key names defined by Gateway API.
+
+ Support: Implementation-specific
maxProperties: 16
type: object
type: object
x-kubernetes-validations:
- - message: certificateRefs must be specified when TLSModeType
- is Terminate
+ - message: certificateRefs or options must be specified when
+ mode is Terminate
rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs)
- > 0 : true'
+ > 0 || size(self.options) > 0 : true'
required:
- name
- port
@@ -2466,13 +3751,13 @@ spec:
- name
x-kubernetes-list-type: map
x-kubernetes-validations:
- - message: tls must be specified for protocols ['HTTPS', 'TLS']
- rule: 'self.all(l, l.protocol in [''HTTPS'', ''TLS''] ? has(l.tls)
- : true)'
- message: tls must not be specified for protocols ['HTTP', 'TCP',
'UDP']
rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ?
!has(l.tls) : true)'
+ - message: tls mode must be Terminate for protocol HTTPS
+ rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode
+ == '''' || l.tls.mode == ''Terminate'') : true)'
- message: hostname must not be specified for protocols ['TCP', 'UDP']
rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname)
|| l.hostname == '''') : true)'
@@ -2503,12 +3788,17 @@ spec:
description: Status defines the current state of Gateway.
properties:
addresses:
- description: "Addresses lists the network addresses that have been
- bound to the Gateway. \n This list may differ from the addresses
- provided in the spec under some conditions: \n * no addresses are
- specified, all addresses are dynamically assigned * a combination
- of specified and dynamic addresses are assigned * a specified address
- was unusable (e.g. already in use) \n "
+ description: |+
+ Addresses lists the network addresses that have been bound to the
+ Gateway.
+
+ This list may differ from the addresses provided in the spec under some
+ conditions:
+
+ * no addresses are specified, all addresses are dynamically assigned
+ * a combination of specified and dynamic addresses are assigned
+ * a specified address was unusable (e.g. already in use)
+
items:
description: GatewayStatusAddress describes a network address that
is bound to a Gateway.
@@ -2535,9 +3825,11 @@ spec:
pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
value:
- description: "Value of the address. The validity of the values
- will depend on the type and support by the controller. \n
- Examples: `1.2.3.4`, `128::1`, `my-ip-address`."
+ description: |-
+ Value of the address. The validity of the values will depend
+ on the type and support by the controller.
+
+ Examples: `1.2.3.4`, `128::1`, `my-ip-address`.
maxLength: 253
minLength: 1
type: string
@@ -2563,50 +3855,49 @@ spec:
reason: Pending
status: Unknown
type: Programmed
- description: "Conditions describe the current conditions of the Gateway.
- \n Implementations should prefer to express Gateway conditions using
- the `GatewayConditionType` and `GatewayConditionReason` constants
- so that operators and tools can converge on a common vocabulary
- to describe Gateway state. \n Known condition types are: \n * \"Accepted\"
- * \"Programmed\" * \"Ready\""
+ description: |-
+ Conditions describe the current conditions of the Gateway.
+
+ Implementations should prefer to express Gateway conditions
+ using the `GatewayConditionType` and `GatewayConditionReason`
+ constants so that operators and tools can converge on a common
+ vocabulary to describe Gateway state.
+
+ Known condition types are:
+
+ * "Accepted"
+ * "Programmed"
+ * "Ready"
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
@@ -2621,10 +3912,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -2647,70 +3934,60 @@ spec:
description: ListenerStatus is the status associated with a Listener.
properties:
attachedRoutes:
- description: "AttachedRoutes represents the total number of
- Routes that have been successfully attached to this Listener.
- \n Successful attachment of a Route to a Listener is based
- solely on the combination of the AllowedRoutes field on the
- corresponding Listener and the Route's ParentRefs field. A
- Route is successfully attached to a Listener when it is selected
- by the Listener's AllowedRoutes field AND the Route has a
- valid ParentRef selecting the whole Gateway resource or a
- specific Listener as a parent resource (more detail on attachment
- semantics can be found in the documentation on the various
- Route kinds ParentRefs fields). Listener or Route status does
- not impact successful attachment, i.e. the AttachedRoutes
- field count MUST be set for Listeners with condition Accepted:
- false and MUST count successfully attached Routes that may
- themselves have Accepted: false conditions. \n Uses for this
- field include troubleshooting Route attachment and measuring
- blast radius/impact of changes to a Listener."
+ description: |-
+ AttachedRoutes represents the total number of Routes that have been
+ successfully attached to this Listener.
+
+ Successful attachment of a Route to a Listener is based solely on the
+ combination of the AllowedRoutes field on the corresponding Listener
+ and the Route's ParentRefs field. A Route is successfully attached to
+ a Listener when it is selected by the Listener's AllowedRoutes field
+ AND the Route has a valid ParentRef selecting the whole Gateway
+ resource or a specific Listener as a parent resource (more detail on
+ attachment semantics can be found in the documentation on the various
+ Route kinds ParentRefs fields). Listener or Route status does not impact
+ successful attachment, i.e. the AttachedRoutes field count MUST be set
+ for Listeners with condition Accepted: false and MUST count successfully
+ attached Routes that may themselves have Accepted: false conditions.
+
+ Uses for this field include troubleshooting Route attachment and
+ measuring blast radius/impact of changes to a Listener.
format: int32
type: integer
conditions:
description: Conditions describe the current condition of this
listener.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -2725,11 +4002,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -2753,15 +4025,16 @@ spec:
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
supportedKinds:
- description: "SupportedKinds is the list indicating the Kinds
- supported by this listener. This MUST represent the kinds
- an implementation supports for that Listener configuration.
- \n If kinds are specified in Spec that are not supported,
- they MUST NOT appear in this list and an implementation MUST
- set the \"ResolvedRefs\" condition to \"False\" with the \"InvalidRouteKinds\"
- reason. If both valid and invalid Route kinds are specified,
- the implementation MUST reference the valid Route kinds that
- have been specified."
+ description: |-
+ SupportedKinds is the list indicating the Kinds supported by this
+ listener. This MUST represent the kinds an implementation supports for
+ that Listener configuration.
+
+ If kinds are specified in Spec that are not supported, they MUST NOT
+ appear in this list and an implementation MUST set the "ResolvedRefs"
+ condition to "False" with the "InvalidRouteKinds" reason. If both valid
+ and invalid Route kinds are specified, the implementation MUST
+ reference the valid Route kinds that have been specified.
items:
description: RouteGroupKind indicates the group and kind of
a Route resource.
@@ -2799,7 +4072,7 @@ spec:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
status:
@@ -2816,8 +4089,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: grpcroutes.gateway.networking.k8s.io
@@ -2839,40 +4112,52 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- name: v1alpha2
+ name: v1
schema:
openAPIV3Schema:
- description: "GRPCRoute provides a way to route gRPC requests. This includes
- the capability to match requests by hostname, gRPC service, gRPC method,
- or HTTP/2 header. Filters can be used to specify additional processing steps.
- Backends specify where matching requests will be routed. \n GRPCRoute falls
- under extended support within the Gateway API. Within the following specification,
- the word \"MUST\" indicates that an implementation supporting GRPCRoute
- must conform to the indicated requirement, but an implementation not supporting
- this route type need not follow the requirement unless explicitly indicated.
- \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType`
- MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1,
- i.e. via ALPN. If the implementation does not support this, then it MUST
- set the \"Accepted\" condition to \"False\" for the affected listener with
- a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2
- connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute`
- with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c,
- https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade
- from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4).
- If the implementation does not support this, then it MUST set the \"Accepted\"
- condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\".
+ description: |-
+ GRPCRoute provides a way to route gRPC requests. This includes the capability
+ to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header.
+ Filters can be used to specify additional processing steps. Backends specify
+ where matching requests will be routed.
+
+ GRPCRoute falls under extended support within the Gateway API. Within the
+ following specification, the word "MUST" indicates that an implementation
+ supporting GRPCRoute must conform to the indicated requirement, but an
+ implementation not supporting this route type need not follow the requirement
+ unless explicitly indicated.
+
+ Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST
+ accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via
+ ALPN. If the implementation does not support this, then it MUST set the
+ "Accepted" condition to "False" for the affected listener with a reason of
+ "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections
+ with an upgrade from HTTP/1.
+
+ Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST
+ support HTTP/2 over cleartext TCP (h2c,
+ https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial
+ upgrade from HTTP/1.1, i.e. with prior knowledge
+ (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation
+ does not support this, then it MUST set the "Accepted" condition to "False"
+ for the affected listener with a reason of "UnsupportedProtocol".
Implementations MAY also accept HTTP/2 connections with an upgrade from
- HTTP/1, i.e. without prior knowledge."
+ HTTP/1, i.e. without prior knowledge.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -2880,56 +4165,73 @@ spec:
description: Spec defines the desired state of GRPCRoute.
properties:
hostnames:
- description: "Hostnames defines a set of hostnames to match against
- the GRPC Host header to select a GRPCRoute to process the request.
- This matches the RFC 1123 definition of a hostname with 2 notable
- exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
- with a wildcard label (`*.`). The wildcard label MUST appear by
- itself as the first label. \n If a hostname is specified by both
- the Listener and GRPCRoute, there MUST be at least one intersecting
- hostname for the GRPCRoute to be attached to the Listener. For example:
- \n * A Listener with `test.example.com` as the hostname matches
- GRPCRoutes that have either not specified any hostnames, or have
- specified at least one of `test.example.com` or `*.example.com`.
+ description: |-
+ Hostnames defines a set of hostnames to match against the GRPC
+ Host header to select a GRPCRoute to process the request. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label MUST appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and GRPCRoute, there
+ MUST be at least one intersecting hostname for the GRPCRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches GRPCRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
* A Listener with `*.example.com` as the hostname matches GRPCRoutes
- that have either not specified any hostnames or have specified at
- least one hostname that matches the Listener hostname. For example,
- `test.example.com` and `*.example.com` would both match. On the
- other hand, `example.com` and `test.example.net` would not match.
- \n Hostnames that are prefixed with a wildcard label (`*.`) are
- interpreted as a suffix match. That means that a match for `*.example.com`
- would match both `test.example.com`, and `foo.test.example.com`,
- but not `example.com`. \n If both the Listener and GRPCRoute have
- specified hostnames, any GRPCRoute hostnames that do not match the
- Listener hostname MUST be ignored. For example, if a Listener specified
- `*.example.com`, and the GRPCRoute specified `test.example.com`
- and `test.example.net`, `test.example.net` MUST NOT be considered
- for a match. \n If both the Listener and GRPCRoute have specified
- hostnames, and none match with the criteria above, then the GRPCRoute
- MUST NOT be accepted by the implementation. The implementation MUST
- raise an 'Accepted' Condition with a status of `False` in the corresponding
- RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute
- is attached to a Listener and that listener already has another
- Route (B) of the other type attached and the intersection of the
- hostnames of A and B is non-empty, then the implementation MUST
- accept exactly one of these two routes, determined by the following
- criteria, in order: \n * The oldest Route based on creation timestamp.
- * The Route appearing first in alphabetical order by \"{namespace}/{name}\".
- \n The rejected Route MUST raise an 'Accepted' condition with a
- status of 'False' in the corresponding RouteParentStatus. \n Support:
- Core"
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and GRPCRoute have specified hostnames, any
+ GRPCRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ GRPCRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` MUST NOT be considered for a match.
+
+ If both the Listener and GRPCRoute have specified hostnames, and none
+ match with the criteria above, then the GRPCRoute MUST NOT be accepted by
+ the implementation. The implementation MUST raise an 'Accepted' Condition
+ with a status of `False` in the corresponding RouteParentStatus.
+
+ If a Route (A) of type HTTPRoute or GRPCRoute is attached to a
+ Listener and that listener already has another Route (B) of the other
+ type attached and the intersection of the hostnames of A and B is
+ non-empty, then the implementation MUST accept exactly one of these two
+ routes, determined by the following criteria, in order:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ The rejected Route MUST raise an 'Accepted' condition with a status of
+ 'False' in the corresponding RouteParentStatus.
+
+ Support: Core
items:
- description: "Hostname is the fully qualified domain name of a network
- host. This matches the RFC 1123 definition of a hostname with
- 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
- may be prefixed with a wildcard label (`*.`). The wildcard label
- must appear by itself as the first label. \n Hostname can be \"precise\"
- which is a domain name without the terminating dot of a network
- host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
- name prefixed with a single wildcard label (e.g. `*.example.com`).
- \n Note that as per RFC1035 and RFC1123, a *label* must consist
- of lower case alphanumeric characters or '-', and must start and
- end with an alphanumeric character. No other punctuation is allowed."
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -2937,165 +4239,213 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: "ParentRefs references the resources (usually Gateways)
- that a Route wants to be attached to. Note that the referenced parent
- resource needs to allow this for the attachment to be complete.
- For Gateways, that means the Gateway needs to allow attachment from
- Routes of this kind and namespace. For Services, that means the
- Service must either be in the same namespace for a \"producer\"
- route, or the mesh implementation must support and allow \"consumer\"
- routes for the referenced Service. ReferenceGrant is not applicable
- for governing ParentRefs to Services - it is not possible to create
- a \"producer\" route for a Service in a different namespace from
- the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) This
- API may be extended in the future to support additional kinds of
- parent resources. \n ParentRefs must be _distinct_. This means either
- that: \n * They select different objects. If this is the case,
- then parentRef entries are distinct. In terms of fields, this means
- that the multi-part key defined by `group`, `kind`, `namespace`,
- and `name` must be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field
- used, each ParentRef that selects the same object must set the same
- set of optional fields to different values. If one ParentRef sets
- a combination of optional fields, all must set the same combination.
- \n Some examples: \n * If one ParentRef sets `sectionName`, all
- ParentRefs referencing the same object must also set `sectionName`.
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`. * If one ParentRef sets `sectionName`
- and `port`, all ParentRefs referencing the same object must also
- set `sectionName` and `port`. \n It is possible to separately reference
- multiple distinct objects that may be collapsed by an implementation.
- For example, some implementations may choose to merge compatible
- Gateway Listeners together. If that is the case, the list of routes
- attached to those resources should also be merged. \n Note that
- for ParentRefs that cross namespace boundaries, there are specific
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For
- example, Gateway has the AllowedRoutes field, and ReferenceGrant
- provides a generic way to enable other kinds of cross-namespace
- reference. \n ParentRefs from a Route to a Service in the same
- namespace are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for which the
- intended destination of the connections are a Service targeted as
- a ParentRef of the Route. \n "
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
items:
- description: "ParentReference identifies an API object (usually
- a Gateway) that can be considered a parent of this resource (usually
- a route). There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service
- (Mesh conformance profile, experimental, ClusterIP Services only)
- \n This API may be extended in the future to support additional
- kinds of parent resources. \n The API object must be valid in
- the cluster; the Group and Kind must be registered in the cluster
- for this reference to be valid."
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the core
- API group (such as for a \"Service\" kind referent), Group
- must be explicitly set to \"\" (empty string). \n Support:
- Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are two
- kinds of parent resources with \"Core\" support: \n * Gateway
- (Gateway conformance profile) * Service (Mesh conformance
- profile, experimental, ClusterIP Services only) \n Support
- for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent. When
- unspecified, this refers to the local namespace of the Route.
- \n Note that there are specific rules for ParentRefs which
- cross namespace boundaries. Cross-namespace references are
- only valid if they are explicitly allowed by something in
- the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides a
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service.
- \n ParentRefs from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same
- namespace as the Route, for which the intended destination
- of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets. It
- can be interpreted differently based on the type of parent
- resource. \n When the parent resource is a Gateway, this targets
- all listeners listening on the specified port that also support
- this kind of Route(and select this Route). It's not recommended
- to set `Port` unless the networking behaviors specified in
- a Route must apply to a specific port as opposed to a listener(s)
- whose port(s) may be changed. When both Port and SectionName
- are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
- is a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes can
- attach to them by Route kind, namespace, or hostname. If 1
- of 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway. \n
- Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within the
- target resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match both
- specified values. * Service: Port Name. When both Port (experimental)
- and SectionName are specified, the name and port of the selected
- listener must match both specified values. Note that attaching
- Routes to Services as Parents is part of experimental Mesh
- support and is not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this will
- reference the entire resource. For the purpose of status,
- an attachment is considered successful if at least one section
- in the parent resource accepts it. For example, Gateway listeners
- can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept
- attachment from the referencing Route, the Route MUST be considered
- successfully attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -3129,84 +4479,103 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: Rules are a list of GRPC matchers, filters and actions.
+ description: |+
+ Rules are a list of GRPC matchers, filters and actions.
+
items:
- description: GRPCRouteRule defines the semantics for matching a
- gRPC request based on conditions (matches), processing it (filters),
- and forwarding the request to an API object (backendRefs).
+ description: |-
+ GRPCRouteRule defines the semantics for matching a gRPC request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
properties:
backendRefs:
- description: "BackendRefs defines the backend(s) where matching
- requests should be sent. \n Failure behavior here depends
- on how many BackendRefs are specified and how many are invalid.
- \n If *all* entries in BackendRefs are invalid, and there
- are also no filters specified in this route rule, *all* traffic
- which matches this rule MUST receive an `UNAVAILABLE` status.
- \n See the GRPCBackendRef definition for the rules about what
- makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef
- is invalid, `UNAVAILABLE` statuses MUST be returned for requests
- that would have otherwise been routed to an invalid backend.
- If multiple backends are specified, and some are invalid,
- the proportion of requests that would otherwise have been
- routed to an invalid backend MUST receive an `UNAVAILABLE`
- status. \n For example, if two backends are specified with
- equal weights, and one is invalid, 50 percent of traffic MUST
- receive an `UNAVAILABLE` status. Implementations may choose
- how that 50 percent is determined. \n Support: Core for Kubernetes
- Service \n Support: Implementation-specific for any other
- resource \n Support for weight: Core"
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive an `UNAVAILABLE` status.
+
+ See the GRPCBackendRef definition for the rules about what makes a single
+ GRPCBackendRef invalid.
+
+ When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive an `UNAVAILABLE` status.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status.
+ Implementations may choose how that 50 percent is determined.
+
+ Support: Core for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
items:
- description: "GRPCBackendRef defines how a GRPCRoute forwards
- a gRPC request. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace to allow that
+ description: |-
+ GRPCBackendRef defines how a GRPCRoute forwards a gRPC request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details. \n
- \n When the BackendRef points to a Kubernetes Service, implementations
- SHOULD honor the appProtocol field if it is set for the
- target Service Port. \n Implementations supporting appProtocol
- SHOULD recognize the Kubernetes Standard Application Protocols
- defined in KEP-3726. \n If a Service appProtocol isn't specified,
- an implementation MAY infer the backend protocol through
- its own means. Implementations MAY infer the protocol from
- the Route type referring to the backend Service. \n If a
- Route is not able to send traffic to the backend using the
- specified protocol then the backend is considered invalid.
- Implementations MUST set the \"ResolvedRefs\" condition
- to \"False\" with the \"UnsupportedProtocol\" reason. \n
- "
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
properties:
filters:
- description: "Filters defined at this level MUST be executed
- if and only if the request is being forwarded to the
- backend defined here. \n Support: Implementation-specific
- (For broader support of filters, use the Filters field
- in GRPCRouteRule.)"
+ description: |-
+ Filters defined at this level MUST be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in GRPCRouteRule.)
items:
- description: GRPCRouteFilter defines processing steps
- that must be completed during the request or response
- lifecycle. GRPCRouteFilters are meant as an extension
- point to express processing that may be done in Gateway
- implementations. Some examples include request or
- response modification, implementing authentication
- strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type
- of the filter.
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
- description: "ExtensionRef is an optional, implementation-specific
- extension to the \"filter\" behavior. For example,
- resource \"myroutefilter\" in group \"networking.example.net\").
- ExtensionRef MUST NOT be used for core and extended
- filters. \n Support: Implementation-specific \n
- This filter can be used multiple times within
- the same rule."
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
properties:
group:
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API
- group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -3228,35 +4597,45 @@ spec:
- name
type: object
requestHeaderModifier:
- description: "RequestHeaderModifier defines a schema
- for a filter that modifies request headers. \n
- Support: Core"
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It
- appends to any existing values associated
- with the header name. \n Input: GET /foo HTTP/1.1
- my-header: foo \n Config: add: - name: \"my-header\"
- value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
- my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -3277,44 +4656,61 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from
- the HTTP request before the action. The value
- of Remove is a list of HTTP header names.
- Note that the header names are case-insensitive
- (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo
- my-header2: bar my-header3: baz \n Config:
- remove: [\"my-header1\", \"my-header3\"] \n
- Output: GET /foo HTTP/1.1 my-header2: bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with
- the given header (name, value) before the
- action. \n Input: GET /foo HTTP/1.1 my-header:
- foo \n Config: set: - name: \"my-header\"
- value: \"bar\" \n Output: GET /foo HTTP/1.1
- my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -3336,64 +4732,69 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: "RequestMirror defines a schema for
- a filter that mirrors requests. Requests are sent
- to the specified destination, but responses from
- that destination are ignored. \n This filter can
- be used multiple times within the same rule. Note
- that not all implementations will be able to support
- mirroring to multiple backends. \n Support: Extended"
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
properties:
backendRef:
- description: "BackendRef references a resource
- where mirrored requests are sent. \n Mirrored
- requests must be sent only to a single destination
- endpoint within this BackendRef, irrespective
- of how many endpoints are present within this
- BackendRef. \n If the referent cannot be found,
- this BackendRef is invalid and must be dropped
- from the Gateway. The controller must ensure
- the \"ResolvedRefs\" condition on the Route
- status is set to `status: False` and not configure
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
this backend in the underlying implementation.
- \n If there is a cross-namespace reference
- to an *existing* object that is not allowed
- by a ReferenceGrant, the controller must ensure
- the \"ResolvedRefs\" condition on the Route
- is set to `status: False`, with the \"RefNotPermitted\"
- reason and not configure this backend in the
- underlying implementation. \n In either error
- case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about
- the problem. \n Support: Extended for Kubernetes
- Service \n Support: Implementation-specific
- for any other resource"
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
properties:
group:
default: ""
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core
- API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource
- kind of the referent. For example \"Service\".
- \n Defaults to \"Service\" when not specified.
- \n ExternalName services can refer to
- CNAME DNS records that may live outside
- of the cluster and as such are difficult
- to reason about in terms of conformance.
- They also may not be safe to forward to
- (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName
- Services. \n Support: Core (Services with
- a type other than ExternalName) \n Support:
- Implementation-specific (Services with
- type ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -3404,29 +4805,27 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace
- of the backend. When unspecified, the
- local namespace is inferred. \n Note that
- when a namespace different than the local
- namespace is specified, a ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept
- the reference. See the ReferenceGrant
- documentation for details. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination
- port number to use for this resource.
- Port is required when the referent is
- a Kubernetes Service. In this case, the
- port number is the service port number,
- not the target port. For other resources,
- destination port might be derived from
- the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -3438,39 +4837,91 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind
== ''Service'') ? has(self.port) : true'
+ fraction:
+ description: |+
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal
+ to denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |+
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
required:
- backendRef
type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be
+ specified in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
responseHeaderModifier:
- description: "ResponseHeaderModifier defines a schema
- for a filter that modifies response headers. \n
- Support: Extended"
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It
- appends to any existing values associated
- with the header name. \n Input: GET /foo HTTP/1.1
- my-header: foo \n Config: add: - name: \"my-header\"
- value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
- my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -3491,44 +4942,61 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from
- the HTTP request before the action. The value
- of Remove is a list of HTTP header names.
- Note that the header names are case-insensitive
- (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo
- my-header2: bar my-header3: baz \n Config:
- remove: [\"my-header1\", \"my-header3\"] \n
- Output: GET /foo HTTP/1.1 my-header2: bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with
- the given header (name, value) before the
- action. \n Input: GET /foo HTTP/1.1 my-header:
- foo \n Config: set: - name: \"my-header\"
- value: \"bar\" \n Output: GET /foo HTTP/1.1
- my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -3550,32 +5018,32 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: "Type identifies the type of filter
- to apply. As with other API fields, types are
- classified into three conformance levels: \n -
- Core: Filter types and their corresponding configuration
- defined by \"Support: Core\" in this package,
- e.g. \"RequestHeaderModifier\". All implementations
- supporting GRPCRoute MUST support core filters.
- \n - Extended: Filter types and their corresponding
- configuration defined by \"Support: Extended\"
- in this package, e.g. \"RequestMirror\". Implementers
- are encouraged to support extended filters. \n
- - Implementation-specific: Filters that are defined
- and supported by specific vendors. In the future,
- filters showing convergence in behavior across
- multiple implementations will be considered for
- inclusion in extended or core conformance levels.
- Filter-specific configuration for such filters
- is specified using the ExtensionRef field. `Type`
- MUST be set to \"ExtensionRef\" for custom filters.
- \n Implementers are encouraged to define custom
- implementation types to extend the core API with
- implementation-specific behavior. \n If a reference
- to a custom filter type cannot be resolved, the
- filter MUST NOT be skipped. Instead, requests
- that would have been processed by that filter
- MUST receive a HTTP error response. \n "
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
enum:
- ResponseHeaderModifier
- RequestHeaderModifier
@@ -3626,25 +5094,29 @@ spec:
<= 1
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -3655,43 +5127,47 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
- description: "Weight specifies the proportion of requests
- forwarded to the referenced backend. This is computed
- as weight/(sum of all weights in this BackendRefs list).
- For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision
- an implementation supports. Weight is not a percentage
- and the sum of weights does not need to equal 100. \n
- If only one backend is specified and it has a weight
- greater than 0, 100% of the traffic is forwarded to
- that backend. If weight is set to 0, no traffic should
- be forwarded for this entry. If unspecified, weight
- defaults to 1. \n Support for this field varies based
- on the context where used."
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
@@ -3706,44 +5182,55 @@ spec:
maxItems: 16
type: array
filters:
- description: "Filters define the filters that are applied to
- requests that match this rule. \n The effects of ordering
- of multiple behaviors are currently unspecified. This can
- change in the future based on feedback during the alpha stage.
- \n Conformance-levels at this level are defined based on the
- type of filter: \n - ALL core filters MUST be supported by
- all implementations that support GRPCRoute. - Implementers
- are encouraged to support extended filters. - Implementation-specific
- custom filters have no API guarantees across implementations.
- \n Specifying the same filter multiple times is not supported
- unless explicitly indicated in the filter. \n If an implementation
- can not support a combination of filters, it must clearly
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ The effects of ordering of multiple behaviors are currently unspecified.
+ This can change in the future based on feedback during the alpha stage.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations that support
+ GRPCRoute.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ If an implementation can not support a combination of filters, it must clearly
document that limitation. In cases where incompatible or unsupported
- filters are specified and cause the `Accepted` condition to
- be set to status `False`, implementations may use the `IncompatibleFilters`
- reason to specify this configuration error. \n Support: Core"
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
items:
- description: GRPCRouteFilter defines processing steps that
- must be completed during the request or response lifecycle.
- GRPCRouteFilters are meant as an extension point to express
- processing that may be done in Gateway implementations.
- Some examples include request or response modification,
- implementing authentication strategies, rate-limiting, and
- traffic shaping. API guarantee/conformance is defined based
- on the type of the filter.
+ description: |-
+ GRPCRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. GRPCRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
- description: "ExtensionRef is an optional, implementation-specific
- extension to the \"filter\" behavior. For example,
- resource \"myroutefilter\" in group \"networking.example.net\").
- ExtensionRef MUST NOT be used for core and extended
- filters. \n Support: Implementation-specific \n This
- filter can be used multiple times within the same rule."
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ Support: Implementation-specific
+
+ This filter can be used multiple times within the same rule.
properties:
group:
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -3765,32 +5252,44 @@ spec:
- name
type: object
requestHeaderModifier:
- description: "RequestHeaderModifier defines a schema for
- a filter that modifies request headers. \n Support:
- Core"
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It appends
- to any existing values associated with the header
- name. \n Input: GET /foo HTTP/1.1 my-header: foo
- \n Config: add: - name: \"my-header\" value: \"bar,baz\"
- \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -3811,40 +5310,60 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from the
- HTTP request before the action. The value of Remove
- is a list of HTTP header names. Note that the header
- names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
- bar my-header3: baz \n Config: remove: [\"my-header1\",
- \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
- bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with the
- given header (name, value) before the action. \n
- Input: GET /foo HTTP/1.1 my-header: foo \n Config:
- set: - name: \"my-header\" value: \"bar\" \n Output:
- GET /foo HTTP/1.1 my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -3866,60 +5385,69 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: "RequestMirror defines a schema for a filter
- that mirrors requests. Requests are sent to the specified
- destination, but responses from that destination are
- ignored. \n This filter can be used multiple times within
- the same rule. Note that not all implementations will
- be able to support mirroring to multiple backends. \n
- Support: Extended"
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
properties:
backendRef:
- description: "BackendRef references a resource where
- mirrored requests are sent. \n Mirrored requests
- must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many
- endpoints are present within this BackendRef. \n
- If the referent cannot be found, this BackendRef
- is invalid and must be dropped from the Gateway.
- The controller must ensure the \"ResolvedRefs\"
- condition on the Route status is set to `status:
- False` and not configure this backend in the underlying
- implementation. \n If there is a cross-namespace
- reference to an *existing* object that is not allowed
- by a ReferenceGrant, the controller must ensure
- the \"ResolvedRefs\" condition on the Route is
- set to `status: False`, with the \"RefNotPermitted\"
- reason and not configure this backend in the underlying
- implementation. \n In either error case, the Message
- of the `ResolvedRefs` Condition should be used to
- provide more detail about the problem. \n Support:
- Extended for Kubernetes Service \n Support: Implementation-specific
- for any other resource"
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
properties:
group:
default: ""
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io". When
- unspecified or empty string, core API group
- is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource
- kind of the referent. For example \"Service\".
- \n Defaults to \"Service\" when not specified.
- \n ExternalName services can refer to CNAME
- DNS records that may live outside of the cluster
- and as such are difficult to reason about in
- terms of conformance. They also may not be safe
- to forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName
- Services. \n Support: Core (Services with a
- type other than ExternalName) \n Support: Implementation-specific
- (Services with type ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -3930,25 +5458,26 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the
- backend. When unspecified, the local namespace
- is inferred. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept the
- reference. See the ReferenceGrant documentation
- for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port
- number to use for this resource. Port is required
- when the referent is a Kubernetes Service. In
- this case, the port number is the service port
- number, not the target port. For other resources,
- destination port might be derived from the referent
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
@@ -3961,36 +5490,90 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
+ fraction:
+ description: |+
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to
+ denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |+
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
required:
- backendRef
type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be specified
+ in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
responseHeaderModifier:
- description: "ResponseHeaderModifier defines a schema
- for a filter that modifies response headers. \n Support:
- Extended"
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It appends
- to any existing values associated with the header
- name. \n Input: GET /foo HTTP/1.1 my-header: foo
- \n Config: add: - name: \"my-header\" value: \"bar,baz\"
- \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -4011,40 +5594,60 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from the
- HTTP request before the action. The value of Remove
- is a list of HTTP header names. Note that the header
- names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
- bar my-header3: baz \n Config: remove: [\"my-header1\",
- \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
- bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with the
- given header (name, value) before the action. \n
- Input: GET /foo HTTP/1.1 my-header: foo \n Config:
- set: - name: \"my-header\" value: \"bar\" \n Output:
- GET /foo HTTP/1.1 my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -4066,29 +5669,32 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: "Type identifies the type of filter to apply.
- As with other API fields, types are classified into
- three conformance levels: \n - Core: Filter types and
- their corresponding configuration defined by \"Support:
- Core\" in this package, e.g. \"RequestHeaderModifier\".
- All implementations supporting GRPCRoute MUST support
- core filters. \n - Extended: Filter types and their
- corresponding configuration defined by \"Support: Extended\"
- in this package, e.g. \"RequestMirror\". Implementers
- are encouraged to support extended filters. \n - Implementation-specific:
- Filters that are defined and supported by specific vendors.
- In the future, filters showing convergence in behavior
- across multiple implementations will be considered for
- inclusion in extended or core conformance levels. Filter-specific
- configuration for such filters is specified using the
- ExtensionRef field. `Type` MUST be set to \"ExtensionRef\"
- for custom filters. \n Implementers are encouraged to
- define custom implementation types to extend the core
- API with implementation-specific behavior. \n If a reference
- to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have
- been processed by that filter MUST receive a HTTP error
- response. \n "
+ description: |+
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations supporting GRPCRoute MUST support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` MUST be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
enum:
- ResponseHeaderModifier
- RequestHeaderModifier
@@ -4137,60 +5743,95 @@ spec:
rule: self.filter(f, f.type == 'ResponseHeaderModifier').size()
<= 1
matches:
- description: "Matches define conditions used for matching the
- rule against incoming gRPC requests. Each match is independent,
- i.e. this rule will be matched if **any** one of the matches
- is satisfied. \n For example, take the following matches configuration:
- \n ``` matches: - method: service: foo.bar headers: values:
- version: 2 - method: service: foo.bar.v2 ``` \n For a request
- to match against this rule, it MUST satisfy EITHER of the
- two conditions: \n - service of foo.bar AND contains the header
- `version: 2` - service of foo.bar.v2 \n See the documentation
- for GRPCRouteMatch on how to specify multiple match conditions
- to be ANDed together. \n If no matches are specified, the
- implementation MUST match every gRPC request. \n Proxy or
- Load Balancer routing configuration generated from GRPCRoutes
- MUST prioritize rules based on the following criteria, continuing
- on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
- Precedence MUST be given to the rule with the largest number
- of: \n * Characters in a matching non-wildcard hostname. *
- Characters in a matching hostname. * Characters in a matching
- service. * Characters in a matching method. * Header matches.
- \n If ties still exist across multiple Routes, matching precedence
- MUST be determined in order of the following criteria, continuing
- on ties: \n * The oldest Route based on creation timestamp.
- * The Route appearing first in alphabetical order by \"{namespace}/{name}\".
- \n If ties still exist within the Route that has been given
- precedence, matching precedence MUST be granted to the first
- matching rule meeting the above criteria."
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ gRPC requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - method:
+ service: foo.bar
+ headers:
+ values:
+ version: 2
+ - method:
+ service: foo.bar.v2
+ ```
+
+ For a request to match against this rule, it MUST satisfy
+ EITHER of the two conditions:
+
+ - service of foo.bar AND contains the header `version: 2`
+ - service of foo.bar.v2
+
+ See the documentation for GRPCRouteMatch on how to specify multiple
+ match conditions to be ANDed together.
+
+ If no matches are specified, the implementation MUST match every gRPC request.
+
+ Proxy or Load Balancer routing configuration generated from GRPCRoutes
+ MUST prioritize rules based on the following criteria, continuing on
+ ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes.
+ Precedence MUST be given to the rule with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+ * Characters in a matching service.
+ * Characters in a matching method.
+ * Header matches.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within the Route that has been given precedence,
+ matching precedence MUST be granted to the first matching rule meeting
+ the above criteria.
items:
- description: "GRPCRouteMatch defines the predicate used to
- match requests to a given action. Multiple match types are
- ANDed together, i.e. the match will evaluate to true only
- if all conditions are satisfied. \n For example, the match
- below will match a gRPC request only if its service is `foo`
- AND it contains the `version: v1` header: \n ``` matches:
- - method: type: Exact service: \"foo\" headers: - name:
- \"version\" value \"v1\" \n ```"
+ description: |-
+ GRPCRouteMatch defines the predicate used to match requests to a given
+ action. Multiple match types are ANDed together, i.e. the match will
+ evaluate to true only if all conditions are satisfied.
+
+ For example, the match below will match a gRPC request only if its service
+ is `foo` AND it contains the `version: v1` header:
+
+ ```
+ matches:
+ - method:
+ type: Exact
+ service: "foo"
+ headers:
+ - name: "version"
+ value "v1"
+
+ ```
properties:
headers:
- description: Headers specifies gRPC request header matchers.
- Multiple match values are ANDed together, meaning, a
- request MUST match all the specified headers to select
- the route.
+ description: |-
+ Headers specifies gRPC request header matchers. Multiple match values are
+ ANDed together, meaning, a request MUST match all the specified headers
+ to select the route.
items:
- description: GRPCHeaderMatch describes how to select
- a gRPC route by matching gRPC request headers.
+ description: |-
+ GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request
+ headers.
properties:
name:
- description: "Name is the name of the gRPC Header
- to be matched. \n If multiple entries specify
- equivalent header names, only the first entry
- with an equivalent name MUST be considered for
- a match. Subsequent entries with an equivalent
- header name MUST be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the gRPC Header to be matched.
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -4219,31 +5860,35 @@ spec:
- name
x-kubernetes-list-type: map
method:
- description: Method specifies a gRPC request service/method
- matcher. If this field is not specified, all services
- and methods will match.
+ description: |-
+ Method specifies a gRPC request service/method matcher. If this field is
+ not specified, all services and methods will match.
properties:
method:
- description: "Value of the method to match against.
- If left empty or omitted, will match all services.
- \n At least one of Service and Method MUST be a
- non-empty string."
+ description: |-
+ Value of the method to match against. If left empty or omitted, will
+ match all services.
+
+ At least one of Service and Method MUST be a non-empty string.
maxLength: 1024
type: string
service:
- description: "Value of the service to match against.
- If left empty or omitted, will match any service.
- \n At least one of Service and Method MUST be a
- non-empty string."
+ description: |-
+ Value of the service to match against. If left empty or omitted, will
+ match any service.
+
+ At least one of Service and Method MUST be a non-empty string.
maxLength: 1024
type: string
type:
default: Exact
- description: "Type specifies how to match against
- the service and/or method. Support: Core (Exact
- with service and method specified) \n Support: Implementation-specific
- (Exact with method specified but no service specified)
- \n Support: Implementation-specific (RegularExpression)"
+ description: |-
+ Type specifies how to match against the service and/or method.
+ Support: Core (Exact with service and method specified)
+
+ Support: Implementation-specific (Exact with method specified but no service specified)
+
+ Support: Implementation-specific (RegularExpression)
enum:
- Exact
- RegularExpression
@@ -4267,89 +5912,207 @@ spec:
type: object
maxItems: 8
type: array
+ name:
+ description: |
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ sessionPersistence:
+ description: |+
+ SessionPersistence defines and configures session persistence
+ for the route rule.
+
+ Support: Extended
+
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
+
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
+
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
+
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
+
+ Support: Core for "Session" type
+
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
+
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
+
+ Support: Core for "Cookie" type
+
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
type: object
maxItems: 16
type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size()
+ : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size()
+ : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size()
+ : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size()
+ : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size()
+ : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size()
+ : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size()
+ : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size()
+ : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size()
+ : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size()
+ : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size()
+ : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size()
+ : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size()
+ : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size()
+ : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size()
+ : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size()
+ : 0) : 0) <= 128'
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
type: object
status:
description: Status defines the current state of GRPCRoute.
properties:
parents:
- description: "Parents is a list of parent resources (usually Gateways)
- that are associated with the route, and the status of the route
- with respect to each parent. When this route attaches to a parent,
- the controller that manages the parent must add an entry to this
- list when the controller first sees the route and should update
- the entry as appropriate when the route or gateway is modified.
- \n Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this
- API can only populate Route status for the Gateways/parent resources
- they are responsible for. \n A maximum of 32 Gateways will be represented
- in this list. An empty list means the route has not been attached
- to any Gateway."
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
- description: RouteParentStatus describes the status of a route with
- respect to an associated Parent.
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
conditions:
- description: "Conditions describes the status of the route with
- respect to the Gateway. Note that the route's availability
- is also subject to the Gateway's own status conditions and
- listener status. \n If the Route's ParentRef specifies an
- existing Gateway that supports Routes of this kind AND that
- Gateway's controller has sufficient access, then that Gateway's
- controller MUST set the \"Accepted\" condition on the Route,
- to indicate whether the route has been accepted or rejected
- by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
- if at least one of the Route's rules is implemented by the
- Gateway. \n There are a number of cases where the \"Accepted\"
- condition may not be set due to lack of controller visibility,
- that includes when: \n * The Route refers to a non-existent
- parent. * The Route is of a type that the controller does
- not support. * The Route is in a namespace the controller
- does not have access to."
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -4364,11 +6127,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -4386,131 +6144,154 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
- description: ParentRef corresponds with a ParentRef in the spec
- that this RouteParentStatus struct describes the status of.
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -4546,8 +6327,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: httproutes.gateway.networking.k8s.io
@@ -4572,20 +6353,26 @@ spec:
name: v1
schema:
openAPIV3Schema:
- description: HTTPRoute provides a way to route HTTP requests. This includes
- the capability to match requests by hostname, path, header, or query param.
- Filters can be used to specify additional processing steps. Backends specify
- where matching requests should be routed.
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -4593,57 +6380,76 @@ spec:
description: Spec defines the desired state of HTTPRoute.
properties:
hostnames:
- description: "Hostnames defines a set of hostnames that should match
- against the HTTP Host header to select a HTTPRoute used to process
- the request. Implementations MUST ignore any port value specified
- in the HTTP Host header while performing a match and (absent of
- any applicable header modification configuration) MUST forward this
- header unmodified to the backend. \n Valid values for Hostnames
- are determined by RFC 1123 definition of a hostname with 2 notable
- exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
- with a wildcard label (`*.`). The wildcard label must appear by
- itself as the first label. \n If a hostname is specified by both
- the Listener and HTTPRoute, there must be at least one intersecting
- hostname for the HTTPRoute to be attached to the Listener. For example:
- \n * A Listener with `test.example.com` as the hostname matches
- HTTPRoutes that have either not specified any hostnames, or have
- specified at least one of `test.example.com` or `*.example.com`.
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
* A Listener with `*.example.com` as the hostname matches HTTPRoutes
- that have either not specified any hostnames or have specified at
- least one hostname that matches the Listener hostname. For example,
- `*.example.com`, `test.example.com`, and `foo.test.example.com`
- would all match. On the other hand, `example.com` and `test.example.net`
- would not match. \n Hostnames that are prefixed with a wildcard
- label (`*.`) are interpreted as a suffix match. That means that
- a match for `*.example.com` would match both `test.example.com`,
- and `foo.test.example.com`, but not `example.com`. \n If both the
- Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames
- that do not match the Listener hostname MUST be ignored. For example,
- if a Listener specified `*.example.com`, and the HTTPRoute specified
- `test.example.com` and `test.example.net`, `test.example.net` must
- not be considered for a match. \n If both the Listener and HTTPRoute
- have specified hostnames, and none match with the criteria above,
- then the HTTPRoute is not accepted. The implementation must raise
- an 'Accepted' Condition with a status of `False` in the corresponding
- RouteParentStatus. \n In the event that multiple HTTPRoutes specify
- intersecting hostnames (e.g. overlapping wildcard matching and exact
- matching hostnames), precedence must be given to rules from the
- HTTPRoute with the largest number of: \n * Characters in a matching
- non-wildcard hostname. * Characters in a matching hostname. \n If
- ties exist across multiple Routes, the matching precedence rules
- for HTTPRouteMatches takes over. \n Support: Core"
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
items:
- description: "Hostname is the fully qualified domain name of a network
- host. This matches the RFC 1123 definition of a hostname with
- 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
- may be prefixed with a wildcard label (`*.`). The wildcard label
- must appear by itself as the first label. \n Hostname can be \"precise\"
- which is a domain name without the terminating dot of a network
- host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
- name prefixed with a single wildcard label (e.g. `*.example.com`).
- \n Note that as per RFC1035 and RFC1123, a *label* must consist
- of lower case alphanumeric characters or '-', and must start and
- end with an alphanumeric character. No other punctuation is allowed."
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -4651,165 +6457,213 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: "ParentRefs references the resources (usually Gateways)
- that a Route wants to be attached to. Note that the referenced parent
- resource needs to allow this for the attachment to be complete.
- For Gateways, that means the Gateway needs to allow attachment from
- Routes of this kind and namespace. For Services, that means the
- Service must either be in the same namespace for a \"producer\"
- route, or the mesh implementation must support and allow \"consumer\"
- routes for the referenced Service. ReferenceGrant is not applicable
- for governing ParentRefs to Services - it is not possible to create
- a \"producer\" route for a Service in a different namespace from
- the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) This
- API may be extended in the future to support additional kinds of
- parent resources. \n ParentRefs must be _distinct_. This means either
- that: \n * They select different objects. If this is the case,
- then parentRef entries are distinct. In terms of fields, this means
- that the multi-part key defined by `group`, `kind`, `namespace`,
- and `name` must be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field
- used, each ParentRef that selects the same object must set the same
- set of optional fields to different values. If one ParentRef sets
- a combination of optional fields, all must set the same combination.
- \n Some examples: \n * If one ParentRef sets `sectionName`, all
- ParentRefs referencing the same object must also set `sectionName`.
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`. * If one ParentRef sets `sectionName`
- and `port`, all ParentRefs referencing the same object must also
- set `sectionName` and `port`. \n It is possible to separately reference
- multiple distinct objects that may be collapsed by an implementation.
- For example, some implementations may choose to merge compatible
- Gateway Listeners together. If that is the case, the list of routes
- attached to those resources should also be merged. \n Note that
- for ParentRefs that cross namespace boundaries, there are specific
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For
- example, Gateway has the AllowedRoutes field, and ReferenceGrant
- provides a generic way to enable other kinds of cross-namespace
- reference. \n ParentRefs from a Route to a Service in the same
- namespace are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for which the
- intended destination of the connections are a Service targeted as
- a ParentRef of the Route. \n "
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
items:
- description: "ParentReference identifies an API object (usually
- a Gateway) that can be considered a parent of this resource (usually
- a route). There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service
- (Mesh conformance profile, experimental, ClusterIP Services only)
- \n This API may be extended in the future to support additional
- kinds of parent resources. \n The API object must be valid in
- the cluster; the Group and Kind must be registered in the cluster
- for this reference to be valid."
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the core
- API group (such as for a \"Service\" kind referent), Group
- must be explicitly set to \"\" (empty string). \n Support:
- Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are two
- kinds of parent resources with \"Core\" support: \n * Gateway
- (Gateway conformance profile) * Service (Mesh conformance
- profile, experimental, ClusterIP Services only) \n Support
- for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent. When
- unspecified, this refers to the local namespace of the Route.
- \n Note that there are specific rules for ParentRefs which
- cross namespace boundaries. Cross-namespace references are
- only valid if they are explicitly allowed by something in
- the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides a
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service.
- \n ParentRefs from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same
- namespace as the Route, for which the intended destination
- of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets. It
- can be interpreted differently based on the type of parent
- resource. \n When the parent resource is a Gateway, this targets
- all listeners listening on the specified port that also support
- this kind of Route(and select this Route). It's not recommended
- to set `Port` unless the networking behaviors specified in
- a Route must apply to a specific port as opposed to a listener(s)
- whose port(s) may be changed. When both Port and SectionName
- are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
- is a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes can
- attach to them by Route kind, namespace, or hostname. If 1
- of 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway. \n
- Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within the
- target resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match both
- specified values. * Service: Port Name. When both Port (experimental)
- and SectionName are specified, the name and port of the selected
- listener must match both specified values. Note that attaching
- Routes to Services as Parents is part of experimental Mesh
- support and is not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this will
- reference the entire resource. For the purpose of status,
- an attachment is considered successful if at least one section
- in the parent resource accepts it. For example, Gateway listeners
- can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept
- attachment from the referencing Route, the Route MUST be considered
- successfully attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -4848,83 +6702,110 @@ spec:
- path:
type: PathPrefix
value: /
- description: Rules are a list of HTTP matchers, filters and actions.
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
items:
- description: HTTPRouteRule defines semantics for matching an HTTP
- request based on conditions (matches), processing it (filters),
- and forwarding the request to an API object (backendRefs).
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
properties:
backendRefs:
- description: "BackendRefs defines the backend(s) where matching
- requests should be sent. \n Failure behavior here depends
- on how many BackendRefs are specified and how many are invalid.
- \n If *all* entries in BackendRefs are invalid, and there
- are also no filters specified in this route rule, *all* traffic
- which matches this rule MUST receive a 500 status code. \n
- See the HTTPBackendRef definition for the rules about what
- makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef
- is invalid, 500 status codes MUST be returned for requests
- that would have otherwise been routed to an invalid backend.
- If multiple backends are specified, and some are invalid,
- the proportion of requests that would otherwise have been
- routed to an invalid backend MUST receive a 500 status code.
- \n For example, if two backends are specified with equal weights,
- and one is invalid, 50 percent of traffic must receive a 500.
- Implementations may choose how that 50 percent is determined.
- \n Support: Core for Kubernetes Service \n Support: Extended
- for Kubernetes ServiceImport \n Support: Implementation-specific
- for any other resource \n Support for weight: Core"
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
items:
- description: "HTTPBackendRef defines how a HTTPRoute forwards
- a HTTP request. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace to allow that
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details. \n
- \n When the BackendRef points to a Kubernetes Service, implementations
- SHOULD honor the appProtocol field if it is set for the
- target Service Port. \n Implementations supporting appProtocol
- SHOULD recognize the Kubernetes Standard Application Protocols
- defined in KEP-3726. \n If a Service appProtocol isn't specified,
- an implementation MAY infer the backend protocol through
- its own means. Implementations MAY infer the protocol from
- the Route type referring to the backend Service. \n If a
- Route is not able to send traffic to the backend using the
- specified protocol then the backend is considered invalid.
- Implementations MUST set the \"ResolvedRefs\" condition
- to \"False\" with the \"UnsupportedProtocol\" reason. \n
- "
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
properties:
filters:
- description: "Filters defined at this level should be
- executed if and only if the request is being forwarded
- to the backend defined here. \n Support: Implementation-specific
- (For broader support of filters, use the Filters field
- in HTTPRouteRule.)"
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
items:
- description: HTTPRouteFilter defines processing steps
- that must be completed during the request or response
- lifecycle. HTTPRouteFilters are meant as an extension
- point to express processing that may be done in Gateway
- implementations. Some examples include request or
- response modification, implementing authentication
- strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type
- of the filter.
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
- description: "ExtensionRef is an optional, implementation-specific
- extension to the \"filter\" behavior. For example,
- resource \"myroutefilter\" in group \"networking.example.net\").
- ExtensionRef MUST NOT be used for core and extended
- filters. \n This filter can be used multiple times
- within the same rule. \n Support: Implementation-specific"
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
properties:
group:
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API
- group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -4946,35 +6827,45 @@ spec:
- name
type: object
requestHeaderModifier:
- description: "RequestHeaderModifier defines a schema
- for a filter that modifies request headers. \n
- Support: Core"
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It
- appends to any existing values associated
- with the header name. \n Input: GET /foo HTTP/1.1
- my-header: foo \n Config: add: - name: \"my-header\"
- value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
- my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -4995,44 +6886,61 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from
- the HTTP request before the action. The value
- of Remove is a list of HTTP header names.
- Note that the header names are case-insensitive
- (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo
- my-header2: bar my-header3: baz \n Config:
- remove: [\"my-header1\", \"my-header3\"] \n
- Output: GET /foo HTTP/1.1 my-header2: bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with
- the given header (name, value) before the
- action. \n Input: GET /foo HTTP/1.1 my-header:
- foo \n Config: set: - name: \"my-header\"
- value: \"bar\" \n Output: GET /foo HTTP/1.1
- my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -5054,64 +6962,69 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: "RequestMirror defines a schema for
- a filter that mirrors requests. Requests are sent
- to the specified destination, but responses from
- that destination are ignored. \n This filter can
- be used multiple times within the same rule. Note
- that not all implementations will be able to support
- mirroring to multiple backends. \n Support: Extended"
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
properties:
backendRef:
- description: "BackendRef references a resource
- where mirrored requests are sent. \n Mirrored
- requests must be sent only to a single destination
- endpoint within this BackendRef, irrespective
- of how many endpoints are present within this
- BackendRef. \n If the referent cannot be found,
- this BackendRef is invalid and must be dropped
- from the Gateway. The controller must ensure
- the \"ResolvedRefs\" condition on the Route
- status is set to `status: False` and not configure
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
this backend in the underlying implementation.
- \n If there is a cross-namespace reference
- to an *existing* object that is not allowed
- by a ReferenceGrant, the controller must ensure
- the \"ResolvedRefs\" condition on the Route
- is set to `status: False`, with the \"RefNotPermitted\"
- reason and not configure this backend in the
- underlying implementation. \n In either error
- case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about
- the problem. \n Support: Extended for Kubernetes
- Service \n Support: Implementation-specific
- for any other resource"
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
properties:
group:
default: ""
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core
- API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource
- kind of the referent. For example \"Service\".
- \n Defaults to \"Service\" when not specified.
- \n ExternalName services can refer to
- CNAME DNS records that may live outside
- of the cluster and as such are difficult
- to reason about in terms of conformance.
- They also may not be safe to forward to
- (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName
- Services. \n Support: Core (Services with
- a type other than ExternalName) \n Support:
- Implementation-specific (Services with
- type ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -5122,29 +7035,27 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace
- of the backend. When unspecified, the
- local namespace is inferred. \n Note that
- when a namespace different than the local
- namespace is specified, a ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept
- the reference. See the ReferenceGrant
- documentation for details. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination
- port number to use for this resource.
- Port is required when the referent is
- a Kubernetes Service. In this case, the
- port number is the service port number,
- not the target port. For other resources,
- destination port might be derived from
- the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -5156,88 +7067,114 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind
== ''Service'') ? has(self.port) : true'
+ fraction:
+ description: |+
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal
+ to denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |+
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
required:
- backendRef
type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be
+ specified in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
requestRedirect:
- description: "RequestRedirect defines a schema for
- a filter that responds to the request with an
- HTTP redirection. \n Support: Core"
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
properties:
hostname:
- description: "Hostname is the hostname to be
- used in the value of the `Location` header
- in the response. When empty, the hostname
- in the `Host` header of the request is used.
- \n Support: Core"
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines parameters used to
- modify the path of the incoming request. The
- modified path is then used to construct the
- `Location` header. When empty, the request
- path is used as-is. \n Support: Extended"
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the
- value with which to replace the full path
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies
- the value with which to replace the prefix
- match of a request during a rewrite or
- redirect. For example, a request to \"/foo/bar\"
- with a prefix match of \"/foo\" and a
- ReplacePrefixMatch of \"/xyz\" would be
- modified to \"/xyz/bar\". \n Note that
- this matches the behavior of the PathPrefix
- match type. This matches full path elements.
- A path element refers to the list of labels
- in the path split by the `/` separator.
- When specified, a trailing `/` is ignored.
- For example, the paths `/abc`, `/abc/`,
- and `/abc/def` would all match the prefix
- `/abc`, but the path `/abcd` would not.
- \n ReplacePrefixMatch is only compatible
- with a `PathPrefix` HTTPRouteMatch. Using
- any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`. \n Request Path
- | Prefix Match | Replace Prefix | Modified
- Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo |
- /xyz/ | /xyz/bar /foo/bar |
- /foo/ | /xyz | /xyz/bar
- /foo/bar | /foo/ | /xyz/ |
- /xyz/bar /foo | /foo |
- /xyz | /xyz /foo/ | /foo
- \ | /xyz | /xyz/ /foo/bar
- \ | /foo | |
- /bar /foo/ | /foo | | / /foo | /foo |
- | / /foo/ | /foo
- \ | / | / /foo |
- /foo | / | /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path
- modifier. Additional types may be added
- in a future release of the API. \n Note
- that values may be added to this enum,
- implementations must ensure that unknown
- values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`, with a Reason
- of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -5263,95 +7200,111 @@ spec:
rule: 'has(self.replacePrefixMatch) ? self.type
== ''ReplacePrefixMatch'' : true'
port:
- description: "Port is the port to be used in
- the value of the `Location` header in the
- response. \n If no port is specified, the
- redirect port MUST be derived using the following
- rules: \n * If redirect scheme is not-empty,
- the redirect port MUST be the well-known port
- associated with the redirect scheme. Specifically
- \"http\" to port 80 and \"https\" to port
- 443. If the redirect scheme does not have
- a well-known port, the listener port of the
- Gateway SHOULD be used. * If redirect scheme
- is empty, the redirect port MUST be the Gateway
- Listener port. \n Implementations SHOULD NOT
- add the port number in the 'Location' header
- in the following cases: \n * A Location header
- that will use HTTP (whether that is determined
- via the Listener protocol or the Scheme field)
- _and_ use port 80. * A Location header that
- will use HTTPS (whether that is determined
- via the Listener protocol or the Scheme field)
- _and_ use port 443. \n Support: Extended"
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
- description: "Scheme is the scheme to be used
- in the value of the `Location` header in the
- response. When empty, the scheme of the request
- is used. \n Scheme redirects can affect the
- port of the redirect, for more information,
- refer to the documentation for the port field
- of this filter. \n Note that values may be
- added to this enum, implementations must ensure
- that unknown values will not cause a crash.
- \n Unknown values here must result in the
- implementation setting the Accepted Condition
- for the Route to `status: False`, with a Reason
- of `UnsupportedValue`. \n Support: Extended"
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
enum:
- http
- https
type: string
statusCode:
default: 302
- description: "StatusCode is the HTTP status
- code to be used in response. \n Note that
- values may be added to this enum, implementations
- must ensure that unknown values will not cause
- a crash. \n Unknown values here must result
- in the implementation setting the Accepted
- Condition for the Route to `status: False`,
- with a Reason of `UnsupportedValue`. \n Support:
- Core"
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
enum:
- 301
- 302
type: integer
type: object
responseHeaderModifier:
- description: "ResponseHeaderModifier defines a schema
- for a filter that modifies response headers. \n
- Support: Extended"
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It
- appends to any existing values associated
- with the header name. \n Input: GET /foo HTTP/1.1
- my-header: foo \n Config: add: - name: \"my-header\"
- value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
- my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -5372,44 +7325,61 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from
- the HTTP request before the action. The value
- of Remove is a list of HTTP header names.
- Note that the header names are case-insensitive
- (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo
- my-header2: bar my-header3: baz \n Config:
- remove: [\"my-header1\", \"my-header3\"] \n
- Output: GET /foo HTTP/1.1 my-header2: bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with
- the given header (name, value) before the
- action. \n Input: GET /foo HTTP/1.1 my-header:
- foo \n Config: set: - name: \"my-header\"
- value: \"bar\" \n Output: GET /foo HTTP/1.1
- my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -5431,37 +7401,39 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: "Type identifies the type of filter
- to apply. As with other API fields, types are
- classified into three conformance levels: \n -
- Core: Filter types and their corresponding configuration
- defined by \"Support: Core\" in this package,
- e.g. \"RequestHeaderModifier\". All implementations
- must support core filters. \n - Extended: Filter
- types and their corresponding configuration defined
- by \"Support: Extended\" in this package, e.g.
- \"RequestMirror\". Implementers are encouraged
- to support extended filters. \n - Implementation-specific:
- Filters that are defined and supported by specific
- vendors. In the future, filters showing convergence
- in behavior across multiple implementations will
- be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration
- for such filters is specified using the ExtensionRef
- field. `Type` should be set to \"ExtensionRef\"
- for custom filters. \n Implementers are encouraged
- to define custom implementation types to extend
- the core API with implementation-specific behavior.
- \n If a reference to a custom filter type cannot
- be resolved, the filter MUST NOT be skipped. Instead,
- requests that would have been processed by that
- filter MUST receive a HTTP error response. \n
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause
- a crash. \n Unknown values here must result in
- the implementation setting the Accepted Condition
- for the Route to `status: False`, with a Reason
- of `UnsupportedValue`."
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- RequestHeaderModifier
- ResponseHeaderModifier
@@ -5471,79 +7443,64 @@ spec:
- ExtensionRef
type: string
urlRewrite:
- description: "URLRewrite defines a schema for a
- filter that modifies a request during forwarding.
- \n Support: Extended"
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
properties:
hostname:
- description: "Hostname is the value to be used
- to replace the Host header value during forwarding.
- \n Support: Extended"
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines a path rewrite. \n
- Support: Extended"
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the
- value with which to replace the full path
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies
- the value with which to replace the prefix
- match of a request during a rewrite or
- redirect. For example, a request to \"/foo/bar\"
- with a prefix match of \"/foo\" and a
- ReplacePrefixMatch of \"/xyz\" would be
- modified to \"/xyz/bar\". \n Note that
- this matches the behavior of the PathPrefix
- match type. This matches full path elements.
- A path element refers to the list of labels
- in the path split by the `/` separator.
- When specified, a trailing `/` is ignored.
- For example, the paths `/abc`, `/abc/`,
- and `/abc/def` would all match the prefix
- `/abc`, but the path `/abcd` would not.
- \n ReplacePrefixMatch is only compatible
- with a `PathPrefix` HTTPRouteMatch. Using
- any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`. \n Request Path
- | Prefix Match | Replace Prefix | Modified
- Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo |
- /xyz/ | /xyz/bar /foo/bar |
- /foo/ | /xyz | /xyz/bar
- /foo/bar | /foo/ | /xyz/ |
- /xyz/bar /foo | /foo |
- /xyz | /xyz /foo/ | /foo
- \ | /xyz | /xyz/ /foo/bar
- \ | /foo | |
- /bar /foo/ | /foo | | / /foo | /foo |
- | / /foo/ | /foo
- \ | / | / /foo |
- /foo | / | /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path
- modifier. Additional types may be added
- in a future release of the API. \n Note
- that values may be added to this enum,
- implementations must ensure that unknown
- values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`, with a Reason
- of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -5641,25 +7598,29 @@ spec:
<= 1
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -5670,43 +7631,47 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
- description: "Weight specifies the proportion of requests
- forwarded to the referenced backend. This is computed
- as weight/(sum of all weights in this BackendRefs list).
- For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision
- an implementation supports. Weight is not a percentage
- and the sum of weights does not need to equal 100. \n
- If only one backend is specified and it has a weight
- greater than 0, 100% of the traffic is forwarded to
- that backend. If weight is set to 0, no traffic should
- be forwarded for this entry. If unspecified, weight
- defaults to 1. \n Support for this field varies based
- on the context where used."
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
@@ -5721,46 +7686,67 @@ spec:
maxItems: 16
type: array
filters:
- description: "Filters define the filters that are applied to
- requests that match this rule. \n The effects of ordering
- of multiple behaviors are currently unspecified. This can
- change in the future based on feedback during the alpha stage.
- \n Conformance-levels at this level are defined based on the
- type of filter: \n - ALL core filters MUST be supported by
- all implementations. - Implementers are encouraged to support
- extended filters. - Implementation-specific custom filters
- have no API guarantees across implementations. \n Specifying
- the same filter multiple times is not supported unless explicitly
- indicated in the filter. \n All filters are expected to be
- compatible with each other except for the URLRewrite and RequestRedirect
- filters, which may not be combined. If an implementation can
- not support other combinations of filters, they must clearly
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
document that limitation. In cases where incompatible or unsupported
- filters are specified and cause the `Accepted` condition to
- be set to status `False`, implementations may use the `IncompatibleFilters`
- reason to specify this configuration error. \n Support: Core"
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
items:
- description: HTTPRouteFilter defines processing steps that
- must be completed during the request or response lifecycle.
- HTTPRouteFilters are meant as an extension point to express
- processing that may be done in Gateway implementations.
- Some examples include request or response modification,
- implementing authentication strategies, rate-limiting, and
- traffic shaping. API guarantee/conformance is defined based
- on the type of the filter.
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
- description: "ExtensionRef is an optional, implementation-specific
- extension to the \"filter\" behavior. For example,
- resource \"myroutefilter\" in group \"networking.example.net\").
- ExtensionRef MUST NOT be used for core and extended
- filters. \n This filter can be used multiple times within
- the same rule. \n Support: Implementation-specific"
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
properties:
group:
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -5782,32 +7768,44 @@ spec:
- name
type: object
requestHeaderModifier:
- description: "RequestHeaderModifier defines a schema for
- a filter that modifies request headers. \n Support:
- Core"
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It appends
- to any existing values associated with the header
- name. \n Input: GET /foo HTTP/1.1 my-header: foo
- \n Config: add: - name: \"my-header\" value: \"bar,baz\"
- \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -5828,40 +7826,60 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from the
- HTTP request before the action. The value of Remove
- is a list of HTTP header names. Note that the header
- names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
- bar my-header3: baz \n Config: remove: [\"my-header1\",
- \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
- bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with the
- given header (name, value) before the action. \n
- Input: GET /foo HTTP/1.1 my-header: foo \n Config:
- set: - name: \"my-header\" value: \"bar\" \n Output:
- GET /foo HTTP/1.1 my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -5883,60 +7901,69 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: "RequestMirror defines a schema for a filter
- that mirrors requests. Requests are sent to the specified
- destination, but responses from that destination are
- ignored. \n This filter can be used multiple times within
- the same rule. Note that not all implementations will
- be able to support mirroring to multiple backends. \n
- Support: Extended"
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
properties:
backendRef:
- description: "BackendRef references a resource where
- mirrored requests are sent. \n Mirrored requests
- must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many
- endpoints are present within this BackendRef. \n
- If the referent cannot be found, this BackendRef
- is invalid and must be dropped from the Gateway.
- The controller must ensure the \"ResolvedRefs\"
- condition on the Route status is set to `status:
- False` and not configure this backend in the underlying
- implementation. \n If there is a cross-namespace
- reference to an *existing* object that is not allowed
- by a ReferenceGrant, the controller must ensure
- the \"ResolvedRefs\" condition on the Route is
- set to `status: False`, with the \"RefNotPermitted\"
- reason and not configure this backend in the underlying
- implementation. \n In either error case, the Message
- of the `ResolvedRefs` Condition should be used to
- provide more detail about the problem. \n Support:
- Extended for Kubernetes Service \n Support: Implementation-specific
- for any other resource"
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
properties:
group:
default: ""
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io". When
- unspecified or empty string, core API group
- is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource
- kind of the referent. For example \"Service\".
- \n Defaults to \"Service\" when not specified.
- \n ExternalName services can refer to CNAME
- DNS records that may live outside of the cluster
- and as such are difficult to reason about in
- terms of conformance. They also may not be safe
- to forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName
- Services. \n Support: Core (Services with a
- type other than ExternalName) \n Support: Implementation-specific
- (Services with type ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -5947,25 +7974,26 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the
- backend. When unspecified, the local namespace
- is inferred. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept the
- reference. See the ReferenceGrant documentation
- for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port
- number to use for this resource. Port is required
- when the referent is a Kubernetes Service. In
- this case, the port number is the service port
- number, not the target port. For other resources,
- destination port might be derived from the referent
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
@@ -5978,81 +8006,114 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
+ fraction:
+ description: |+
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to
+ denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |+
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
required:
- backendRef
type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be specified
+ in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
requestRedirect:
- description: "RequestRedirect defines a schema for a filter
- that responds to the request with an HTTP redirection.
- \n Support: Core"
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
properties:
hostname:
- description: "Hostname is the hostname to be used
- in the value of the `Location` header in the response.
- When empty, the hostname in the `Host` header of
- the request is used. \n Support: Core"
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines parameters used to modify
- the path of the incoming request. The modified path
- is then used to construct the `Location` header.
- When empty, the request path is used as-is. \n Support:
- Extended"
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the value
- with which to replace the full path of a request
- during a rewrite or redirect.
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies the
- value with which to replace the prefix match
- of a request during a rewrite or redirect. For
- example, a request to \"/foo/bar\" with a prefix
- match of \"/foo\" and a ReplacePrefixMatch of
- \"/xyz\" would be modified to \"/xyz/bar\".
- \n Note that this matches the behavior of the
- PathPrefix match type. This matches full path
- elements. A path element refers to the list
- of labels in the path split by the `/` separator.
- When specified, a trailing `/` is ignored. For
- example, the paths `/abc`, `/abc/`, and `/abc/def`
- would all match the prefix `/abc`, but the path
- `/abcd` would not. \n ReplacePrefixMatch is
- only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`. \n Request Path | Prefix
- Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo | /xyz/
- \ | /xyz/bar /foo/bar | /foo/ |
- /xyz | /xyz/bar /foo/bar | /foo/
- \ | /xyz/ | /xyz/bar /foo |
- /foo | /xyz | /xyz /foo/ |
- /foo | /xyz | /xyz/ /foo/bar
- \ | /foo | | /bar
- /foo/ | /foo |
- | / /foo | /foo |
- | / /foo/ | /foo | / |
- / /foo | /foo | / |
- /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path modifier.
- Additional types may be added in a future release
- of the API. \n Note that values may be added
- to this enum, implementations must ensure that
- unknown values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`, with a Reason of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -6078,88 +8139,110 @@ spec:
rule: 'has(self.replacePrefixMatch) ? self.type
== ''ReplacePrefixMatch'' : true'
port:
- description: "Port is the port to be used in the value
- of the `Location` header in the response. \n If
- no port is specified, the redirect port MUST be
- derived using the following rules: \n * If redirect
- scheme is not-empty, the redirect port MUST be the
- well-known port associated with the redirect scheme.
- Specifically \"http\" to port 80 and \"https\" to
- port 443. If the redirect scheme does not have a
- well-known port, the listener port of the Gateway
- SHOULD be used. * If redirect scheme is empty, the
- redirect port MUST be the Gateway Listener port.
- \n Implementations SHOULD NOT add the port number
- in the 'Location' header in the following cases:
- \n * A Location header that will use HTTP (whether
- that is determined via the Listener protocol or
- the Scheme field) _and_ use port 80. * A Location
- header that will use HTTPS (whether that is determined
- via the Listener protocol or the Scheme field) _and_
- use port 443. \n Support: Extended"
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
- description: "Scheme is the scheme to be used in the
- value of the `Location` header in the response.
- When empty, the scheme of the request is used. \n
- Scheme redirects can affect the port of the redirect,
- for more information, refer to the documentation
- for the port field of this filter. \n Note that
- values may be added to this enum, implementations
- must ensure that unknown values will not cause a
- crash. \n Unknown values here must result in the
- implementation setting the Accepted Condition for
- the Route to `status: False`, with a Reason of `UnsupportedValue`.
- \n Support: Extended"
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
enum:
- http
- https
type: string
statusCode:
default: 302
- description: "StatusCode is the HTTP status code to
- be used in response. \n Note that values may be
- added to this enum, implementations must ensure
- that unknown values will not cause a crash. \n Unknown
- values here must result in the implementation setting
- the Accepted Condition for the Route to `status:
- False`, with a Reason of `UnsupportedValue`. \n
- Support: Core"
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
enum:
- 301
- 302
type: integer
type: object
responseHeaderModifier:
- description: "ResponseHeaderModifier defines a schema
- for a filter that modifies response headers. \n Support:
- Extended"
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It appends
- to any existing values associated with the header
- name. \n Input: GET /foo HTTP/1.1 my-header: foo
- \n Config: add: - name: \"my-header\" value: \"bar,baz\"
- \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -6180,40 +8263,60 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from the
- HTTP request before the action. The value of Remove
- is a list of HTTP header names. Note that the header
- names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
- bar my-header3: baz \n Config: remove: [\"my-header1\",
- \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
- bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with the
- given header (name, value) before the action. \n
- Input: GET /foo HTTP/1.1 my-header: foo \n Config:
- set: - name: \"my-header\" value: \"bar\" \n Output:
- GET /foo HTTP/1.1 my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -6235,33 +8338,39 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: "Type identifies the type of filter to apply.
- As with other API fields, types are classified into
- three conformance levels: \n - Core: Filter types and
- their corresponding configuration defined by \"Support:
- Core\" in this package, e.g. \"RequestHeaderModifier\".
- All implementations must support core filters. \n -
- Extended: Filter types and their corresponding configuration
- defined by \"Support: Extended\" in this package, e.g.
- \"RequestMirror\". Implementers are encouraged to support
- extended filters. \n - Implementation-specific: Filters
- that are defined and supported by specific vendors.
- In the future, filters showing convergence in behavior
- across multiple implementations will be considered for
- inclusion in extended or core conformance levels. Filter-specific
- configuration for such filters is specified using the
- ExtensionRef field. `Type` should be set to \"ExtensionRef\"
- for custom filters. \n Implementers are encouraged to
- define custom implementation types to extend the core
- API with implementation-specific behavior. \n If a reference
- to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have
- been processed by that filter MUST receive a HTTP error
- response. \n Note that values may be added to this enum,
- implementations must ensure that unknown values will
- not cause a crash. \n Unknown values here must result
- in the implementation setting the Accepted Condition
- for the Route to `status: False`, with a Reason of `UnsupportedValue`."
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- RequestHeaderModifier
- ResponseHeaderModifier
@@ -6271,73 +8380,64 @@ spec:
- ExtensionRef
type: string
urlRewrite:
- description: "URLRewrite defines a schema for a filter
- that modifies a request during forwarding. \n Support:
- Extended"
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
properties:
hostname:
- description: "Hostname is the value to be used to
- replace the Host header value during forwarding.
- \n Support: Extended"
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines a path rewrite. \n Support:
- Extended"
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the value
- with which to replace the full path of a request
- during a rewrite or redirect.
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies the
- value with which to replace the prefix match
- of a request during a rewrite or redirect. For
- example, a request to \"/foo/bar\" with a prefix
- match of \"/foo\" and a ReplacePrefixMatch of
- \"/xyz\" would be modified to \"/xyz/bar\".
- \n Note that this matches the behavior of the
- PathPrefix match type. This matches full path
- elements. A path element refers to the list
- of labels in the path split by the `/` separator.
- When specified, a trailing `/` is ignored. For
- example, the paths `/abc`, `/abc/`, and `/abc/def`
- would all match the prefix `/abc`, but the path
- `/abcd` would not. \n ReplacePrefixMatch is
- only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`. \n Request Path | Prefix
- Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo | /xyz/
- \ | /xyz/bar /foo/bar | /foo/ |
- /xyz | /xyz/bar /foo/bar | /foo/
- \ | /xyz/ | /xyz/bar /foo |
- /foo | /xyz | /xyz /foo/ |
- /foo | /xyz | /xyz/ /foo/bar
- \ | /foo | | /bar
- /foo/ | /foo |
- | / /foo | /foo |
- | / /foo/ | /foo | / |
- / /foo | /foo | / |
- /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path modifier.
- Additional types may be added in a future release
- of the API. \n Note that values may be added
- to this enum, implementations must ensure that
- unknown values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`, with a Reason of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -6430,86 +8530,116 @@ spec:
- path:
type: PathPrefix
value: /
- description: "Matches define conditions used for matching the
- rule against incoming HTTP requests. Each match is independent,
- i.e. this rule will be matched if **any** one of the matches
- is satisfied. \n For example, take the following matches configuration:
- \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\"
- value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request
- to match against this rule, a request must satisfy EITHER
- of the two conditions: \n - path prefixed with `/foo` AND
- contains the header `version: v2` - path prefix of `/v2/foo`
- \n See the documentation for HTTPRouteMatch on how to specify
- multiple match conditions that should be ANDed together. \n
- If no matches are specified, the default is a prefix path
- match on \"/\", which has the effect of matching every HTTP
- request. \n Proxy or Load Balancer routing configuration generated
- from HTTPRoutes MUST prioritize matches based on the following
- criteria, continuing on ties. Across all rules specified on
- applicable Routes, precedence must be given to the match having:
- \n * \"Exact\" path match. * \"Prefix\" path match with largest
- number of characters. * Method match. * Largest number of
- header matches. * Largest number of query param matches. \n
- Note: The precedence of RegularExpression path matches are
- implementation-specific. \n If ties still exist across multiple
- Routes, matching precedence MUST be determined in order of
- the following criteria, continuing on ties: \n * The oldest
- Route based on creation timestamp. * The Route appearing first
- in alphabetical order by \"{namespace}/{name}\". \n If ties
- still exist within an HTTPRoute, matching precedence MUST
- be granted to the FIRST matching rule (in list order) with
- a match meeting the above criteria. \n When no rules matching
- a request have been successfully attached to the parent a
- request is coming from, a HTTP 404 status code MUST be returned."
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
items:
description: "HTTPRouteMatch defines the predicate used to
- match requests to a given action. Multiple match types are
- ANDed together, i.e. the match will evaluate to true only
- if all conditions are satisfied. \n For example, the match
- below will match a HTTP request only if its path starts
- with `/foo` AND it contains the `version: v1` header: \n
- ``` match: \n path: value: \"/foo\" headers: - name: \"version\"
- value \"v1\" \n ```"
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
properties:
headers:
- description: Headers specifies HTTP request header matchers.
- Multiple match values are ANDed together, meaning, a
- request must match all the specified headers to select
- the route.
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
items:
- description: HTTPHeaderMatch describes how to select
- a HTTP route by matching HTTP request headers.
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case insensitive.
- (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent header
- names, only the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST be
- ignored. Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered equivalent.
- \n When a header is repeated in an HTTP request,
- it is implementation-specific behavior as to how
- this is represented. Generally, proxies should
- follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2
- regarding processing a repeated header, with special
- handling for \"Set-Cookie\"."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
- description: "Type specifies how to match against
- the value of the header. \n Support: Core (Exact)
- \n Support: Implementation-specific (RegularExpression)
- \n Since RegularExpression HeaderMatchType has
- implementation-specific conformance, implementations
- can support POSIX, PCRE or any other dialects
- of regular expressions. Please read the implementation's
- documentation to determine the supported dialect."
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
enum:
- Exact
- RegularExpression
@@ -6530,9 +8660,12 @@ spec:
- name
x-kubernetes-list-type: map
method:
- description: "Method specifies HTTP method matcher. When
- specified, this route will be matched only if the request
- has the specified method. \n Support: Extended"
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
enum:
- GET
- HEAD
@@ -6548,15 +8681,18 @@ spec:
default:
type: PathPrefix
value: /
- description: Path specifies a HTTP request path matcher.
- If this field is not specified, a default prefix match
- on the "/" path is provided.
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
properties:
type:
default: PathPrefix
- description: "Type specifies how to match against
- the path Value. \n Support: Core (Exact, PathPrefix)
- \n Support: Implementation-specific (RegularExpression)"
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
enum:
- Exact
- PathPrefix
@@ -6615,48 +8751,53 @@ spec:
rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
: true'
queryParams:
- description: "QueryParams specifies HTTP query parameter
- matchers. Multiple match values are ANDed together,
- meaning, a request must match all the specified query
- parameters to select the route. \n Support: Extended"
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
items:
- description: HTTPQueryParamMatch describes how to select
- a HTTP route by matching HTTP query parameters.
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
properties:
name:
- description: "Name is the name of the HTTP query
- param to be matched. This must be an exact string
- match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
- \n If multiple entries specify equivalent query
- param names, only the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent query param name MUST
- be ignored. \n If a query param is repeated in
- an HTTP request, the behavior is purposely left
- undefined, since different data planes have different
- capabilities. However, it is *recommended* that
- implementations should match against the first
- value of the param if the data plane supports
- it, as this behavior is expected in other load
- balancing contexts outside of the Gateway API.
- \n Users SHOULD NOT route traffic based on repeated
- query params to guard themselves against potential
- differences in the implementations."
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
- description: "Type specifies how to match against
- the value of the query parameter. \n Support:
- Extended (Exact) \n Support: Implementation-specific
- (RegularExpression) \n Since RegularExpression
- QueryParamMatchType has Implementation-specific
- conformance, implementations can support POSIX,
- PCRE or any other dialects of regular expressions.
- Please read the implementation's documentation
- to determine the supported dialect."
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
enum:
- Exact
- RegularExpression
@@ -6677,41 +8818,248 @@ spec:
- name
x-kubernetes-list-type: map
type: object
- maxItems: 8
+ maxItems: 64
type: array
+ name:
+ description: |
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ retry:
+ description: |+
+ Retry defines the configuration for when to retry an HTTP request.
+
+ Support: Extended
+
+ properties:
+ attempts:
+ description: |-
+ Attempts specifies the maxmimum number of times an individual request
+ from the gateway to a backend should be retried.
+
+ If the maximum number of retries has been attempted without a successful
+ response from the backend, the Gateway MUST return an error.
+
+ When this field is unspecified, the number of times to attempt to retry
+ a backend request is implementation-specific.
+
+ Support: Extended
+ type: integer
+ backoff:
+ description: |-
+ Backoff specifies the minimum duration a Gateway should wait between
+ retry attempts and is represented in Gateway API Duration formatting.
+
+ For example, setting the `rules[].retry.backoff` field to the value
+ `100ms` will cause a backend request to first be retried approximately
+ 100 milliseconds after timing out or receiving a response code configured
+ to be retryable.
+
+ An implementation MAY use an exponential or alternative backoff strategy
+ for subsequent retry attempts, MAY cap the maximum backoff duration to
+ some amount greater than the specified minimum, and MAY add arbitrary
+ jitter to stagger requests, as long as unsuccessful backend requests are
+ not retried before the configured minimum duration.
+
+ If a Request timeout (`rules[].timeouts.request`) is configured on the
+ route, the entire duration of the initial request and any retry attempts
+ MUST not exceed the Request timeout duration. If any retry attempts are
+ still in progress when the Request timeout duration has been reached,
+ these SHOULD be canceled if possible and the Gateway MUST immediately
+ return a timeout error.
+
+ If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+ configured on the route, any retry attempts which reach the configured
+ BackendRequest timeout duration without a response SHOULD be canceled if
+ possible and the Gateway should wait for at least the specified backoff
+ duration before attempting to retry the backend request again.
+
+ If a BackendRequest timeout is _not_ configured on the route, retry
+ attempts MAY time out after an implementation default duration, or MAY
+ remain pending until a configured Request timeout or implementation
+ default duration for total request time is reached.
+
+ When this field is unspecified, the time to wait between retry attempts
+ is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ codes:
+ description: |-
+ Codes defines the HTTP response status codes for which a backend request
+ should be retried.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPRouteRetryStatusCode defines an HTTP response status code for
+ which a backend request should be retried.
+
+ Implementations MUST support the following status codes as retryable:
+
+ * 500
+ * 502
+ * 503
+ * 504
+
+ Implementations MAY support specifying additional discrete values in the
+ 500-599 range.
+
+ Implementations MAY support specifying discrete values in the 400-499 range,
+ which are often inadvisable to retry.
+
+
+ maximum: 599
+ minimum: 400
+ type: integer
+ type: array
+ type: object
+ sessionPersistence:
+ description: |+
+ SessionPersistence defines and configures session persistence
+ for the route rule.
+
+ Support: Extended
+
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
+
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
+
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
+
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
+
+ Support: Core for "Session" type
+
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
+
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
+
+ Support: Core for "Cookie" type
+
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
timeouts:
- description: "Timeouts defines the timeouts that can be configured
- for an HTTP request. \n Support: Extended \n "
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
properties:
backendRequest:
- description: "BackendRequest specifies a timeout for an
- individual request from the gateway to a backend. This
- covers the time from when the request first starts being
- sent from the gateway to when the full response has been
- received from the backend. \n An entire client HTTP transaction
- with a gateway, covered by the Request timeout, may result
- in more than one call from the gateway to the destination
- backend, for example, if automatic retries are supported.
- \n Because the Request timeout encompasses the BackendRequest
- timeout, the value of BackendRequest must be <= the value
- of Request timeout. \n Support: Extended"
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
request:
- description: "Request specifies the maximum duration for
- a gateway to respond to an HTTP request. If the gateway
- has not been able to respond before this deadline is met,
- the gateway MUST return a timeout error. \n For example,
- setting the `rules.timeouts.request` field to the value
- `10s` in an `HTTPRoute` will cause a timeout if a client
- request is taking longer than 10 seconds to complete.
- \n This timeout is intended to cover as close to the whole
- request-response transaction as possible although an implementation
- MAY choose to start the timeout after the entire request
- stream has been received instead of immediately after
- the transaction is initiated by the client. \n When this
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
field is unspecified, request timeout behavior is implementation-specific.
- \n Support: Extended"
+
+ Support: Extended
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -6764,86 +9112,101 @@ spec:
!= ''PathPrefix'') ? false : true) : true'
maxItems: 16
type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
type: object
status:
description: Status defines the current state of HTTPRoute.
properties:
parents:
- description: "Parents is a list of parent resources (usually Gateways)
- that are associated with the route, and the status of the route
- with respect to each parent. When this route attaches to a parent,
- the controller that manages the parent must add an entry to this
- list when the controller first sees the route and should update
- the entry as appropriate when the route or gateway is modified.
- \n Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this
- API can only populate Route status for the Gateways/parent resources
- they are responsible for. \n A maximum of 32 Gateways will be represented
- in this list. An empty list means the route has not been attached
- to any Gateway."
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
- description: RouteParentStatus describes the status of a route with
- respect to an associated Parent.
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
conditions:
- description: "Conditions describes the status of the route with
- respect to the Gateway. Note that the route's availability
- is also subject to the Gateway's own status conditions and
- listener status. \n If the Route's ParentRef specifies an
- existing Gateway that supports Routes of this kind AND that
- Gateway's controller has sufficient access, then that Gateway's
- controller MUST set the \"Accepted\" condition on the Route,
- to indicate whether the route has been accepted or rejected
- by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
- if at least one of the Route's rules is implemented by the
- Gateway. \n There are a number of cases where the \"Accepted\"
- condition may not be set due to lack of controller visibility,
- that includes when: \n * The Route refers to a non-existent
- parent. * The Route is of a type that the controller does
- not support. * The Route is in a namespace the controller
- does not have access to."
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -6858,11 +9221,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -6880,131 +9238,154 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
- description: ParentRef corresponds with a ParentRef in the spec
- that this RouteParentStatus struct describes the status of.
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -7025,7 +9406,7 @@ spec:
- spec
type: object
served: true
- storage: false
+ storage: true
subresources:
status: {}
- additionalPrinterColumns:
@@ -7038,20 +9419,26 @@ spec:
name: v1beta1
schema:
openAPIV3Schema:
- description: HTTPRoute provides a way to route HTTP requests. This includes
- the capability to match requests by hostname, path, header, or query param.
- Filters can be used to specify additional processing steps. Backends specify
- where matching requests should be routed.
+ description: |-
+ HTTPRoute provides a way to route HTTP requests. This includes the capability
+ to match requests by hostname, path, header, or query param. Filters can be
+ used to specify additional processing steps. Backends specify where matching
+ requests should be routed.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -7059,57 +9446,76 @@ spec:
description: Spec defines the desired state of HTTPRoute.
properties:
hostnames:
- description: "Hostnames defines a set of hostnames that should match
- against the HTTP Host header to select a HTTPRoute used to process
- the request. Implementations MUST ignore any port value specified
- in the HTTP Host header while performing a match and (absent of
- any applicable header modification configuration) MUST forward this
- header unmodified to the backend. \n Valid values for Hostnames
- are determined by RFC 1123 definition of a hostname with 2 notable
- exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed
- with a wildcard label (`*.`). The wildcard label must appear by
- itself as the first label. \n If a hostname is specified by both
- the Listener and HTTPRoute, there must be at least one intersecting
- hostname for the HTTPRoute to be attached to the Listener. For example:
- \n * A Listener with `test.example.com` as the hostname matches
- HTTPRoutes that have either not specified any hostnames, or have
- specified at least one of `test.example.com` or `*.example.com`.
+ description: |-
+ Hostnames defines a set of hostnames that should match against the HTTP Host
+ header to select a HTTPRoute used to process the request. Implementations
+ MUST ignore any port value specified in the HTTP Host header while
+ performing a match and (absent of any applicable header modification
+ configuration) MUST forward this header unmodified to the backend.
+
+ Valid values for Hostnames are determined by RFC 1123 definition of a
+ hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and HTTPRoute, there
+ must be at least one intersecting hostname for the HTTPRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches HTTPRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
* A Listener with `*.example.com` as the hostname matches HTTPRoutes
- that have either not specified any hostnames or have specified at
- least one hostname that matches the Listener hostname. For example,
- `*.example.com`, `test.example.com`, and `foo.test.example.com`
- would all match. On the other hand, `example.com` and `test.example.net`
- would not match. \n Hostnames that are prefixed with a wildcard
- label (`*.`) are interpreted as a suffix match. That means that
- a match for `*.example.com` would match both `test.example.com`,
- and `foo.test.example.com`, but not `example.com`. \n If both the
- Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames
- that do not match the Listener hostname MUST be ignored. For example,
- if a Listener specified `*.example.com`, and the HTTPRoute specified
- `test.example.com` and `test.example.net`, `test.example.net` must
- not be considered for a match. \n If both the Listener and HTTPRoute
- have specified hostnames, and none match with the criteria above,
- then the HTTPRoute is not accepted. The implementation must raise
- an 'Accepted' Condition with a status of `False` in the corresponding
- RouteParentStatus. \n In the event that multiple HTTPRoutes specify
- intersecting hostnames (e.g. overlapping wildcard matching and exact
- matching hostnames), precedence must be given to rules from the
- HTTPRoute with the largest number of: \n * Characters in a matching
- non-wildcard hostname. * Characters in a matching hostname. \n If
- ties exist across multiple Routes, the matching precedence rules
- for HTTPRouteMatches takes over. \n Support: Core"
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `*.example.com`, `test.example.com`, and `foo.test.example.com` would
+ all match. On the other hand, `example.com` and `test.example.net` would
+ not match.
+
+ Hostnames that are prefixed with a wildcard label (`*.`) are interpreted
+ as a suffix match. That means that a match for `*.example.com` would match
+ both `test.example.com`, and `foo.test.example.com`, but not `example.com`.
+
+ If both the Listener and HTTPRoute have specified hostnames, any
+ HTTPRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ HTTPRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and HTTPRoute have specified hostnames, and none
+ match with the criteria above, then the HTTPRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ In the event that multiple HTTPRoutes specify intersecting hostnames (e.g.
+ overlapping wildcard matching and exact matching hostnames), precedence must
+ be given to rules from the HTTPRoute with the largest number of:
+
+ * Characters in a matching non-wildcard hostname.
+ * Characters in a matching hostname.
+
+ If ties exist across multiple Routes, the matching precedence rules for
+ HTTPRouteMatches takes over.
+
+ Support: Core
items:
- description: "Hostname is the fully qualified domain name of a network
- host. This matches the RFC 1123 definition of a hostname with
- 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
- may be prefixed with a wildcard label (`*.`). The wildcard label
- must appear by itself as the first label. \n Hostname can be \"precise\"
- which is a domain name without the terminating dot of a network
- host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
- name prefixed with a single wildcard label (e.g. `*.example.com`).
- \n Note that as per RFC1035 and RFC1123, a *label* must consist
- of lower case alphanumeric characters or '-', and must start and
- end with an alphanumeric character. No other punctuation is allowed."
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -7117,165 +9523,213 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: "ParentRefs references the resources (usually Gateways)
- that a Route wants to be attached to. Note that the referenced parent
- resource needs to allow this for the attachment to be complete.
- For Gateways, that means the Gateway needs to allow attachment from
- Routes of this kind and namespace. For Services, that means the
- Service must either be in the same namespace for a \"producer\"
- route, or the mesh implementation must support and allow \"consumer\"
- routes for the referenced Service. ReferenceGrant is not applicable
- for governing ParentRefs to Services - it is not possible to create
- a \"producer\" route for a Service in a different namespace from
- the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) This
- API may be extended in the future to support additional kinds of
- parent resources. \n ParentRefs must be _distinct_. This means either
- that: \n * They select different objects. If this is the case,
- then parentRef entries are distinct. In terms of fields, this means
- that the multi-part key defined by `group`, `kind`, `namespace`,
- and `name` must be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field
- used, each ParentRef that selects the same object must set the same
- set of optional fields to different values. If one ParentRef sets
- a combination of optional fields, all must set the same combination.
- \n Some examples: \n * If one ParentRef sets `sectionName`, all
- ParentRefs referencing the same object must also set `sectionName`.
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`. * If one ParentRef sets `sectionName`
- and `port`, all ParentRefs referencing the same object must also
- set `sectionName` and `port`. \n It is possible to separately reference
- multiple distinct objects that may be collapsed by an implementation.
- For example, some implementations may choose to merge compatible
- Gateway Listeners together. If that is the case, the list of routes
- attached to those resources should also be merged. \n Note that
- for ParentRefs that cross namespace boundaries, there are specific
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For
- example, Gateway has the AllowedRoutes field, and ReferenceGrant
- provides a generic way to enable other kinds of cross-namespace
- reference. \n ParentRefs from a Route to a Service in the same
- namespace are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for which the
- intended destination of the connections are a Service targeted as
- a ParentRef of the Route. \n "
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
items:
- description: "ParentReference identifies an API object (usually
- a Gateway) that can be considered a parent of this resource (usually
- a route). There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service
- (Mesh conformance profile, experimental, ClusterIP Services only)
- \n This API may be extended in the future to support additional
- kinds of parent resources. \n The API object must be valid in
- the cluster; the Group and Kind must be registered in the cluster
- for this reference to be valid."
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the core
- API group (such as for a \"Service\" kind referent), Group
- must be explicitly set to \"\" (empty string). \n Support:
- Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are two
- kinds of parent resources with \"Core\" support: \n * Gateway
- (Gateway conformance profile) * Service (Mesh conformance
- profile, experimental, ClusterIP Services only) \n Support
- for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent. When
- unspecified, this refers to the local namespace of the Route.
- \n Note that there are specific rules for ParentRefs which
- cross namespace boundaries. Cross-namespace references are
- only valid if they are explicitly allowed by something in
- the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides a
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service.
- \n ParentRefs from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same
- namespace as the Route, for which the intended destination
- of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets. It
- can be interpreted differently based on the type of parent
- resource. \n When the parent resource is a Gateway, this targets
- all listeners listening on the specified port that also support
- this kind of Route(and select this Route). It's not recommended
- to set `Port` unless the networking behaviors specified in
- a Route must apply to a specific port as opposed to a listener(s)
- whose port(s) may be changed. When both Port and SectionName
- are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
- is a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes can
- attach to them by Route kind, namespace, or hostname. If 1
- of 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway. \n
- Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within the
- target resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match both
- specified values. * Service: Port Name. When both Port (experimental)
- and SectionName are specified, the name and port of the selected
- listener must match both specified values. Note that attaching
- Routes to Services as Parents is part of experimental Mesh
- support and is not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this will
- reference the entire resource. For the purpose of status,
- an attachment is considered successful if at least one section
- in the parent resource accepts it. For example, Gateway listeners
- can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept
- attachment from the referencing Route, the Route MUST be considered
- successfully attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -7314,83 +9768,110 @@ spec:
- path:
type: PathPrefix
value: /
- description: Rules are a list of HTTP matchers, filters and actions.
+ description: |+
+ Rules are a list of HTTP matchers, filters and actions.
+
items:
- description: HTTPRouteRule defines semantics for matching an HTTP
- request based on conditions (matches), processing it (filters),
- and forwarding the request to an API object (backendRefs).
+ description: |-
+ HTTPRouteRule defines semantics for matching an HTTP request based on
+ conditions (matches), processing it (filters), and forwarding the request to
+ an API object (backendRefs).
properties:
backendRefs:
- description: "BackendRefs defines the backend(s) where matching
- requests should be sent. \n Failure behavior here depends
- on how many BackendRefs are specified and how many are invalid.
- \n If *all* entries in BackendRefs are invalid, and there
- are also no filters specified in this route rule, *all* traffic
- which matches this rule MUST receive a 500 status code. \n
- See the HTTPBackendRef definition for the rules about what
- makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef
- is invalid, 500 status codes MUST be returned for requests
- that would have otherwise been routed to an invalid backend.
- If multiple backends are specified, and some are invalid,
- the proportion of requests that would otherwise have been
- routed to an invalid backend MUST receive a 500 status code.
- \n For example, if two backends are specified with equal weights,
- and one is invalid, 50 percent of traffic must receive a 500.
- Implementations may choose how that 50 percent is determined.
- \n Support: Core for Kubernetes Service \n Support: Extended
- for Kubernetes ServiceImport \n Support: Implementation-specific
- for any other resource \n Support for weight: Core"
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent.
+
+ Failure behavior here depends on how many BackendRefs are specified and
+ how many are invalid.
+
+ If *all* entries in BackendRefs are invalid, and there are also no filters
+ specified in this route rule, *all* traffic which matches this rule MUST
+ receive a 500 status code.
+
+ See the HTTPBackendRef definition for the rules about what makes a single
+ HTTPBackendRef invalid.
+
+ When a HTTPBackendRef is invalid, 500 status codes MUST be returned for
+ requests that would have otherwise been routed to an invalid backend. If
+ multiple backends are specified, and some are invalid, the proportion of
+ requests that would otherwise have been routed to an invalid backend
+ MUST receive a 500 status code.
+
+ For example, if two backends are specified with equal weights, and one is
+ invalid, 50 percent of traffic must receive a 500. Implementations may
+ choose how that 50 percent is determined.
+
+ When a HTTPBackendRef refers to a Service that has no ready endpoints,
+ implementations SHOULD return a 503 for requests to that backend instead.
+ If an implementation chooses to do this, all of the above rules for 500 responses
+ MUST also apply for responses that return a 503.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Core
items:
- description: "HTTPBackendRef defines how a HTTPRoute forwards
- a HTTP request. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace to allow that
+ description: |-
+ HTTPBackendRef defines how a HTTPRoute forwards a HTTP request.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
namespace's owner to accept the reference. See the ReferenceGrant
- documentation for details. \n
- \n When the BackendRef points to a Kubernetes Service, implementations
- SHOULD honor the appProtocol field if it is set for the
- target Service Port. \n Implementations supporting appProtocol
- SHOULD recognize the Kubernetes Standard Application Protocols
- defined in KEP-3726. \n If a Service appProtocol isn't specified,
- an implementation MAY infer the backend protocol through
- its own means. Implementations MAY infer the protocol from
- the Route type referring to the backend Service. \n If a
- Route is not able to send traffic to the backend using the
- specified protocol then the backend is considered invalid.
- Implementations MUST set the \"ResolvedRefs\" condition
- to \"False\" with the \"UnsupportedProtocol\" reason. \n
- "
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
properties:
filters:
- description: "Filters defined at this level should be
- executed if and only if the request is being forwarded
- to the backend defined here. \n Support: Implementation-specific
- (For broader support of filters, use the Filters field
- in HTTPRouteRule.)"
+ description: |-
+ Filters defined at this level should be executed if and only if the
+ request is being forwarded to the backend defined here.
+
+ Support: Implementation-specific (For broader support of filters, use the
+ Filters field in HTTPRouteRule.)
items:
- description: HTTPRouteFilter defines processing steps
- that must be completed during the request or response
- lifecycle. HTTPRouteFilters are meant as an extension
- point to express processing that may be done in Gateway
- implementations. Some examples include request or
- response modification, implementing authentication
- strategies, rate-limiting, and traffic shaping. API
- guarantee/conformance is defined based on the type
- of the filter.
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
- description: "ExtensionRef is an optional, implementation-specific
- extension to the \"filter\" behavior. For example,
- resource \"myroutefilter\" in group \"networking.example.net\").
- ExtensionRef MUST NOT be used for core and extended
- filters. \n This filter can be used multiple times
- within the same rule. \n Support: Implementation-specific"
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
properties:
group:
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core API
- group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -7412,35 +9893,45 @@ spec:
- name
type: object
requestHeaderModifier:
- description: "RequestHeaderModifier defines a schema
- for a filter that modifies request headers. \n
- Support: Core"
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It
- appends to any existing values associated
- with the header name. \n Input: GET /foo HTTP/1.1
- my-header: foo \n Config: add: - name: \"my-header\"
- value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
- my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -7461,44 +9952,61 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from
- the HTTP request before the action. The value
- of Remove is a list of HTTP header names.
- Note that the header names are case-insensitive
- (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo
- my-header2: bar my-header3: baz \n Config:
- remove: [\"my-header1\", \"my-header3\"] \n
- Output: GET /foo HTTP/1.1 my-header2: bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with
- the given header (name, value) before the
- action. \n Input: GET /foo HTTP/1.1 my-header:
- foo \n Config: set: - name: \"my-header\"
- value: \"bar\" \n Output: GET /foo HTTP/1.1
- my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -7520,64 +10028,69 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: "RequestMirror defines a schema for
- a filter that mirrors requests. Requests are sent
- to the specified destination, but responses from
- that destination are ignored. \n This filter can
- be used multiple times within the same rule. Note
- that not all implementations will be able to support
- mirroring to multiple backends. \n Support: Extended"
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
properties:
backendRef:
- description: "BackendRef references a resource
- where mirrored requests are sent. \n Mirrored
- requests must be sent only to a single destination
- endpoint within this BackendRef, irrespective
- of how many endpoints are present within this
- BackendRef. \n If the referent cannot be found,
- this BackendRef is invalid and must be dropped
- from the Gateway. The controller must ensure
- the \"ResolvedRefs\" condition on the Route
- status is set to `status: False` and not configure
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
this backend in the underlying implementation.
- \n If there is a cross-namespace reference
- to an *existing* object that is not allowed
- by a ReferenceGrant, the controller must ensure
- the \"ResolvedRefs\" condition on the Route
- is set to `status: False`, with the \"RefNotPermitted\"
- reason and not configure this backend in the
- underlying implementation. \n In either error
- case, the Message of the `ResolvedRefs` Condition
- should be used to provide more detail about
- the problem. \n Support: Extended for Kubernetes
- Service \n Support: Implementation-specific
- for any other resource"
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
properties:
group:
default: ""
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io".
- When unspecified or empty string, core
- API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource
- kind of the referent. For example \"Service\".
- \n Defaults to \"Service\" when not specified.
- \n ExternalName services can refer to
- CNAME DNS records that may live outside
- of the cluster and as such are difficult
- to reason about in terms of conformance.
- They also may not be safe to forward to
- (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName
- Services. \n Support: Core (Services with
- a type other than ExternalName) \n Support:
- Implementation-specific (Services with
- type ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -7588,29 +10101,27 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace
- of the backend. When unspecified, the
- local namespace is inferred. \n Note that
- when a namespace different than the local
- namespace is specified, a ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept
- the reference. See the ReferenceGrant
- documentation for details. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination
- port number to use for this resource.
- Port is required when the referent is
- a Kubernetes Service. In this case, the
- port number is the service port number,
- not the target port. For other resources,
- destination port might be derived from
- the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -7622,88 +10133,114 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind
== ''Service'') ? has(self.port) : true'
+ fraction:
+ description: |+
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal
+ to denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |+
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
required:
- backendRef
type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be
+ specified in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
requestRedirect:
- description: "RequestRedirect defines a schema for
- a filter that responds to the request with an
- HTTP redirection. \n Support: Core"
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
properties:
hostname:
- description: "Hostname is the hostname to be
- used in the value of the `Location` header
- in the response. When empty, the hostname
- in the `Host` header of the request is used.
- \n Support: Core"
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines parameters used to
- modify the path of the incoming request. The
- modified path is then used to construct the
- `Location` header. When empty, the request
- path is used as-is. \n Support: Extended"
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the
- value with which to replace the full path
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies
- the value with which to replace the prefix
- match of a request during a rewrite or
- redirect. For example, a request to \"/foo/bar\"
- with a prefix match of \"/foo\" and a
- ReplacePrefixMatch of \"/xyz\" would be
- modified to \"/xyz/bar\". \n Note that
- this matches the behavior of the PathPrefix
- match type. This matches full path elements.
- A path element refers to the list of labels
- in the path split by the `/` separator.
- When specified, a trailing `/` is ignored.
- For example, the paths `/abc`, `/abc/`,
- and `/abc/def` would all match the prefix
- `/abc`, but the path `/abcd` would not.
- \n ReplacePrefixMatch is only compatible
- with a `PathPrefix` HTTPRouteMatch. Using
- any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`. \n Request Path
- | Prefix Match | Replace Prefix | Modified
- Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo |
- /xyz/ | /xyz/bar /foo/bar |
- /foo/ | /xyz | /xyz/bar
- /foo/bar | /foo/ | /xyz/ |
- /xyz/bar /foo | /foo |
- /xyz | /xyz /foo/ | /foo
- \ | /xyz | /xyz/ /foo/bar
- \ | /foo | |
- /bar /foo/ | /foo | | / /foo | /foo |
- | / /foo/ | /foo
- \ | / | / /foo |
- /foo | / | /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path
- modifier. Additional types may be added
- in a future release of the API. \n Note
- that values may be added to this enum,
- implementations must ensure that unknown
- values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`, with a Reason
- of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -7729,95 +10266,111 @@ spec:
rule: 'has(self.replacePrefixMatch) ? self.type
== ''ReplacePrefixMatch'' : true'
port:
- description: "Port is the port to be used in
- the value of the `Location` header in the
- response. \n If no port is specified, the
- redirect port MUST be derived using the following
- rules: \n * If redirect scheme is not-empty,
- the redirect port MUST be the well-known port
- associated with the redirect scheme. Specifically
- \"http\" to port 80 and \"https\" to port
- 443. If the redirect scheme does not have
- a well-known port, the listener port of the
- Gateway SHOULD be used. * If redirect scheme
- is empty, the redirect port MUST be the Gateway
- Listener port. \n Implementations SHOULD NOT
- add the port number in the 'Location' header
- in the following cases: \n * A Location header
- that will use HTTP (whether that is determined
- via the Listener protocol or the Scheme field)
- _and_ use port 80. * A Location header that
- will use HTTPS (whether that is determined
- via the Listener protocol or the Scheme field)
- _and_ use port 443. \n Support: Extended"
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
- description: "Scheme is the scheme to be used
- in the value of the `Location` header in the
- response. When empty, the scheme of the request
- is used. \n Scheme redirects can affect the
- port of the redirect, for more information,
- refer to the documentation for the port field
- of this filter. \n Note that values may be
- added to this enum, implementations must ensure
- that unknown values will not cause a crash.
- \n Unknown values here must result in the
- implementation setting the Accepted Condition
- for the Route to `status: False`, with a Reason
- of `UnsupportedValue`. \n Support: Extended"
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
enum:
- http
- https
type: string
statusCode:
default: 302
- description: "StatusCode is the HTTP status
- code to be used in response. \n Note that
- values may be added to this enum, implementations
- must ensure that unknown values will not cause
- a crash. \n Unknown values here must result
- in the implementation setting the Accepted
- Condition for the Route to `status: False`,
- with a Reason of `UnsupportedValue`. \n Support:
- Core"
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
enum:
- 301
- 302
type: integer
type: object
responseHeaderModifier:
- description: "ResponseHeaderModifier defines a schema
- for a filter that modifies response headers. \n
- Support: Extended"
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It
- appends to any existing values associated
- with the header name. \n Input: GET /foo HTTP/1.1
- my-header: foo \n Config: add: - name: \"my-header\"
- value: \"bar,baz\" \n Output: GET /foo HTTP/1.1
- my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -7838,44 +10391,61 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from
- the HTTP request before the action. The value
- of Remove is a list of HTTP header names.
- Note that the header names are case-insensitive
- (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo
- my-header2: bar my-header3: baz \n Config:
- remove: [\"my-header1\", \"my-header3\"] \n
- Output: GET /foo HTTP/1.1 my-header2: bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with
- the given header (name, value) before the
- action. \n Input: GET /foo HTTP/1.1 my-header:
- foo \n Config: set: - name: \"my-header\"
- value: \"bar\" \n Output: GET /foo HTTP/1.1
- my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP
Header name and value as defined by RFC
7230.
properties:
name:
- description: "Name is the name of the
- HTTP Header to be matched. Name matching
- MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an
- equivalent name MUST be considered for
- a match. Subsequent entries with an
- equivalent header name MUST be ignored.
- Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -7897,37 +10467,39 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: "Type identifies the type of filter
- to apply. As with other API fields, types are
- classified into three conformance levels: \n -
- Core: Filter types and their corresponding configuration
- defined by \"Support: Core\" in this package,
- e.g. \"RequestHeaderModifier\". All implementations
- must support core filters. \n - Extended: Filter
- types and their corresponding configuration defined
- by \"Support: Extended\" in this package, e.g.
- \"RequestMirror\". Implementers are encouraged
- to support extended filters. \n - Implementation-specific:
- Filters that are defined and supported by specific
- vendors. In the future, filters showing convergence
- in behavior across multiple implementations will
- be considered for inclusion in extended or core
- conformance levels. Filter-specific configuration
- for such filters is specified using the ExtensionRef
- field. `Type` should be set to \"ExtensionRef\"
- for custom filters. \n Implementers are encouraged
- to define custom implementation types to extend
- the core API with implementation-specific behavior.
- \n If a reference to a custom filter type cannot
- be resolved, the filter MUST NOT be skipped. Instead,
- requests that would have been processed by that
- filter MUST receive a HTTP error response. \n
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
Note that values may be added to this enum, implementations
- must ensure that unknown values will not cause
- a crash. \n Unknown values here must result in
- the implementation setting the Accepted Condition
- for the Route to `status: False`, with a Reason
- of `UnsupportedValue`."
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- RequestHeaderModifier
- ResponseHeaderModifier
@@ -7937,79 +10509,64 @@ spec:
- ExtensionRef
type: string
urlRewrite:
- description: "URLRewrite defines a schema for a
- filter that modifies a request during forwarding.
- \n Support: Extended"
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
properties:
hostname:
- description: "Hostname is the value to be used
- to replace the Host header value during forwarding.
- \n Support: Extended"
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines a path rewrite. \n
- Support: Extended"
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the
- value with which to replace the full path
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies
- the value with which to replace the prefix
- match of a request during a rewrite or
- redirect. For example, a request to \"/foo/bar\"
- with a prefix match of \"/foo\" and a
- ReplacePrefixMatch of \"/xyz\" would be
- modified to \"/xyz/bar\". \n Note that
- this matches the behavior of the PathPrefix
- match type. This matches full path elements.
- A path element refers to the list of labels
- in the path split by the `/` separator.
- When specified, a trailing `/` is ignored.
- For example, the paths `/abc`, `/abc/`,
- and `/abc/def` would all match the prefix
- `/abc`, but the path `/abcd` would not.
- \n ReplacePrefixMatch is only compatible
- with a `PathPrefix` HTTPRouteMatch. Using
- any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`. \n Request Path
- | Prefix Match | Replace Prefix | Modified
- Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo |
- /xyz/ | /xyz/bar /foo/bar |
- /foo/ | /xyz | /xyz/bar
- /foo/bar | /foo/ | /xyz/ |
- /xyz/bar /foo | /foo |
- /xyz | /xyz /foo/ | /foo
- \ | /xyz | /xyz/ /foo/bar
- \ | /foo | |
- /bar /foo/ | /foo | | / /foo | /foo |
- | / /foo/ | /foo
- \ | / | / /foo |
- /foo | / | /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path
- modifier. Additional types may be added
- in a future release of the API. \n Note
- that values may be added to this enum,
- implementations must ensure that unknown
- values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the
- Route to `status: False`, with a Reason
- of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -8107,25 +10664,29 @@ spec:
<= 1
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -8136,43 +10697,47 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
- description: "Weight specifies the proportion of requests
- forwarded to the referenced backend. This is computed
- as weight/(sum of all weights in this BackendRefs list).
- For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision
- an implementation supports. Weight is not a percentage
- and the sum of weights does not need to equal 100. \n
- If only one backend is specified and it has a weight
- greater than 0, 100% of the traffic is forwarded to
- that backend. If weight is set to 0, no traffic should
- be forwarded for this entry. If unspecified, weight
- defaults to 1. \n Support for this field varies based
- on the context where used."
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
@@ -8187,46 +10752,67 @@ spec:
maxItems: 16
type: array
filters:
- description: "Filters define the filters that are applied to
- requests that match this rule. \n The effects of ordering
- of multiple behaviors are currently unspecified. This can
- change in the future based on feedback during the alpha stage.
- \n Conformance-levels at this level are defined based on the
- type of filter: \n - ALL core filters MUST be supported by
- all implementations. - Implementers are encouraged to support
- extended filters. - Implementation-specific custom filters
- have no API guarantees across implementations. \n Specifying
- the same filter multiple times is not supported unless explicitly
- indicated in the filter. \n All filters are expected to be
- compatible with each other except for the URLRewrite and RequestRedirect
- filters, which may not be combined. If an implementation can
- not support other combinations of filters, they must clearly
+ description: |-
+ Filters define the filters that are applied to requests that match
+ this rule.
+
+ Wherever possible, implementations SHOULD implement filters in the order
+ they are specified.
+
+ Implementations MAY choose to implement this ordering strictly, rejecting
+ any combination or order of filters that can not be supported. If implementations
+ choose a strict interpretation of filter ordering, they MUST clearly document
+ that behavior.
+
+ To reject an invalid combination or order of filters, implementations SHOULD
+ consider the Route Rules with this configuration invalid. If all Route Rules
+ in a Route are invalid, the entire Route would be considered invalid. If only
+ a portion of Route Rules are invalid, implementations MUST set the
+ "PartiallyInvalid" condition for the Route.
+
+ Conformance-levels at this level are defined based on the type of filter:
+
+ - ALL core filters MUST be supported by all implementations.
+ - Implementers are encouraged to support extended filters.
+ - Implementation-specific custom filters have no API guarantees across
+ implementations.
+
+ Specifying the same filter multiple times is not supported unless explicitly
+ indicated in the filter.
+
+ All filters are expected to be compatible with each other except for the
+ URLRewrite and RequestRedirect filters, which may not be combined. If an
+ implementation can not support other combinations of filters, they must clearly
document that limitation. In cases where incompatible or unsupported
- filters are specified and cause the `Accepted` condition to
- be set to status `False`, implementations may use the `IncompatibleFilters`
- reason to specify this configuration error. \n Support: Core"
+ filters are specified and cause the `Accepted` condition to be set to status
+ `False`, implementations may use the `IncompatibleFilters` reason to specify
+ this configuration error.
+
+ Support: Core
items:
- description: HTTPRouteFilter defines processing steps that
- must be completed during the request or response lifecycle.
- HTTPRouteFilters are meant as an extension point to express
- processing that may be done in Gateway implementations.
- Some examples include request or response modification,
- implementing authentication strategies, rate-limiting, and
- traffic shaping. API guarantee/conformance is defined based
- on the type of the filter.
+ description: |-
+ HTTPRouteFilter defines processing steps that must be completed during the
+ request or response lifecycle. HTTPRouteFilters are meant as an extension
+ point to express processing that may be done in Gateway implementations. Some
+ examples include request or response modification, implementing
+ authentication strategies, rate-limiting, and traffic shaping. API
+ guarantee/conformance is defined based on the type of the filter.
properties:
extensionRef:
- description: "ExtensionRef is an optional, implementation-specific
- extension to the \"filter\" behavior. For example,
- resource \"myroutefilter\" in group \"networking.example.net\").
- ExtensionRef MUST NOT be used for core and extended
- filters. \n This filter can be used multiple times within
- the same rule. \n Support: Implementation-specific"
+ description: |-
+ ExtensionRef is an optional, implementation-specific extension to the
+ "filter" behavior. For example, resource "myroutefilter" in group
+ "networking.example.net"). ExtensionRef MUST NOT be used for core and
+ extended filters.
+
+ This filter can be used multiple times within the same rule.
+
+ Support: Implementation-specific
properties:
group:
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -8248,32 +10834,44 @@ spec:
- name
type: object
requestHeaderModifier:
- description: "RequestHeaderModifier defines a schema for
- a filter that modifies request headers. \n Support:
- Core"
+ description: |-
+ RequestHeaderModifier defines a schema for a filter that modifies request
+ headers.
+
+ Support: Core
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It appends
- to any existing values associated with the header
- name. \n Input: GET /foo HTTP/1.1 my-header: foo
- \n Config: add: - name: \"my-header\" value: \"bar,baz\"
- \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -8294,40 +10892,60 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from the
- HTTP request before the action. The value of Remove
- is a list of HTTP header names. Note that the header
- names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
- bar my-header3: baz \n Config: remove: [\"my-header1\",
- \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
- bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with the
- given header (name, value) before the action. \n
- Input: GET /foo HTTP/1.1 my-header: foo \n Config:
- set: - name: \"my-header\" value: \"bar\" \n Output:
- GET /foo HTTP/1.1 my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -8349,60 +10967,69 @@ spec:
x-kubernetes-list-type: map
type: object
requestMirror:
- description: "RequestMirror defines a schema for a filter
- that mirrors requests. Requests are sent to the specified
- destination, but responses from that destination are
- ignored. \n This filter can be used multiple times within
- the same rule. Note that not all implementations will
- be able to support mirroring to multiple backends. \n
- Support: Extended"
+ description: |+
+ RequestMirror defines a schema for a filter that mirrors requests.
+ Requests are sent to the specified destination, but responses from
+ that destination are ignored.
+
+ This filter can be used multiple times within the same rule. Note that
+ not all implementations will be able to support mirroring to multiple
+ backends.
+
+ Support: Extended
+
properties:
backendRef:
- description: "BackendRef references a resource where
- mirrored requests are sent. \n Mirrored requests
- must be sent only to a single destination endpoint
- within this BackendRef, irrespective of how many
- endpoints are present within this BackendRef. \n
- If the referent cannot be found, this BackendRef
- is invalid and must be dropped from the Gateway.
- The controller must ensure the \"ResolvedRefs\"
- condition on the Route status is set to `status:
- False` and not configure this backend in the underlying
- implementation. \n If there is a cross-namespace
- reference to an *existing* object that is not allowed
- by a ReferenceGrant, the controller must ensure
- the \"ResolvedRefs\" condition on the Route is
- set to `status: False`, with the \"RefNotPermitted\"
- reason and not configure this backend in the underlying
- implementation. \n In either error case, the Message
- of the `ResolvedRefs` Condition should be used to
- provide more detail about the problem. \n Support:
- Extended for Kubernetes Service \n Support: Implementation-specific
- for any other resource"
+ description: |-
+ BackendRef references a resource where mirrored requests are sent.
+
+ Mirrored requests must be sent only to a single destination endpoint
+ within this BackendRef, irrespective of how many endpoints are present
+ within this BackendRef.
+
+ If the referent cannot be found, this BackendRef is invalid and must be
+ dropped from the Gateway. The controller must ensure the "ResolvedRefs"
+ condition on the Route status is set to `status: False` and not configure
+ this backend in the underlying implementation.
+
+ If there is a cross-namespace reference to an *existing* object
+ that is not allowed by a ReferenceGrant, the controller must ensure the
+ "ResolvedRefs" condition on the Route is set to `status: False`,
+ with the "RefNotPermitted" reason and not configure this backend in the
+ underlying implementation.
+
+ In either error case, the Message of the `ResolvedRefs` Condition
+ should be used to provide more detail about the problem.
+
+ Support: Extended for Kubernetes Service
+
+ Support: Implementation-specific for any other resource
properties:
group:
default: ""
- description: Group is the group of the referent.
- For example, "gateway.networking.k8s.io". When
- unspecified or empty string, core API group
- is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource
- kind of the referent. For example \"Service\".
- \n Defaults to \"Service\" when not specified.
- \n ExternalName services can refer to CNAME
- DNS records that may live outside of the cluster
- and as such are difficult to reason about in
- terms of conformance. They also may not be safe
- to forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName
- Services. \n Support: Core (Services with a
- type other than ExternalName) \n Support: Implementation-specific
- (Services with type ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -8413,25 +11040,26 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the
- backend. When unspecified, the local namespace
- is inferred. \n Note that when a namespace different
- than the local namespace is specified, a ReferenceGrant
- object is required in the referent namespace
- to allow that namespace's owner to accept the
- reference. See the ReferenceGrant documentation
- for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port
- number to use for this resource. Port is required
- when the referent is a Kubernetes Service. In
- this case, the port number is the service port
- number, not the target port. For other resources,
- destination port might be derived from the referent
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
@@ -8444,81 +11072,114 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
+ fraction:
+ description: |+
+ Fraction represents the fraction of requests that should be
+ mirrored to BackendRef.
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ properties:
+ denominator:
+ default: 100
+ format: int32
+ minimum: 1
+ type: integer
+ numerator:
+ format: int32
+ minimum: 0
+ type: integer
+ required:
+ - numerator
+ type: object
+ x-kubernetes-validations:
+ - message: numerator must be less than or equal to
+ denominator
+ rule: self.numerator <= self.denominator
+ percent:
+ description: |+
+ Percent represents the percentage of requests that should be
+ mirrored to BackendRef. Its minimum value is 0 (indicating 0% of
+ requests) and its maximum value is 100 (indicating 100% of requests).
+
+ Only one of Fraction or Percent may be specified. If neither field
+ is specified, 100% of requests will be mirrored.
+
+ format: int32
+ maximum: 100
+ minimum: 0
+ type: integer
required:
- backendRef
type: object
+ x-kubernetes-validations:
+ - message: Only one of percent or fraction may be specified
+ in HTTPRequestMirrorFilter
+ rule: '!(has(self.percent) && has(self.fraction))'
requestRedirect:
- description: "RequestRedirect defines a schema for a filter
- that responds to the request with an HTTP redirection.
- \n Support: Core"
+ description: |-
+ RequestRedirect defines a schema for a filter that responds to the
+ request with an HTTP redirection.
+
+ Support: Core
properties:
hostname:
- description: "Hostname is the hostname to be used
- in the value of the `Location` header in the response.
- When empty, the hostname in the `Host` header of
- the request is used. \n Support: Core"
+ description: |-
+ Hostname is the hostname to be used in the value of the `Location`
+ header in the response.
+ When empty, the hostname in the `Host` header of the request is used.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines parameters used to modify
- the path of the incoming request. The modified path
- is then used to construct the `Location` header.
- When empty, the request path is used as-is. \n Support:
- Extended"
+ description: |-
+ Path defines parameters used to modify the path of the incoming request.
+ The modified path is then used to construct the `Location` header. When
+ empty, the request path is used as-is.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the value
- with which to replace the full path of a request
- during a rewrite or redirect.
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies the
- value with which to replace the prefix match
- of a request during a rewrite or redirect. For
- example, a request to \"/foo/bar\" with a prefix
- match of \"/foo\" and a ReplacePrefixMatch of
- \"/xyz\" would be modified to \"/xyz/bar\".
- \n Note that this matches the behavior of the
- PathPrefix match type. This matches full path
- elements. A path element refers to the list
- of labels in the path split by the `/` separator.
- When specified, a trailing `/` is ignored. For
- example, the paths `/abc`, `/abc/`, and `/abc/def`
- would all match the prefix `/abc`, but the path
- `/abcd` would not. \n ReplacePrefixMatch is
- only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`. \n Request Path | Prefix
- Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo | /xyz/
- \ | /xyz/bar /foo/bar | /foo/ |
- /xyz | /xyz/bar /foo/bar | /foo/
- \ | /xyz/ | /xyz/bar /foo |
- /foo | /xyz | /xyz /foo/ |
- /foo | /xyz | /xyz/ /foo/bar
- \ | /foo | | /bar
- /foo/ | /foo |
- | / /foo | /foo |
- | / /foo/ | /foo | / |
- / /foo | /foo | / |
- /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path modifier.
- Additional types may be added in a future release
- of the API. \n Note that values may be added
- to this enum, implementations must ensure that
- unknown values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`, with a Reason of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -8544,88 +11205,110 @@ spec:
rule: 'has(self.replacePrefixMatch) ? self.type
== ''ReplacePrefixMatch'' : true'
port:
- description: "Port is the port to be used in the value
- of the `Location` header in the response. \n If
- no port is specified, the redirect port MUST be
- derived using the following rules: \n * If redirect
- scheme is not-empty, the redirect port MUST be the
- well-known port associated with the redirect scheme.
- Specifically \"http\" to port 80 and \"https\" to
- port 443. If the redirect scheme does not have a
- well-known port, the listener port of the Gateway
- SHOULD be used. * If redirect scheme is empty, the
- redirect port MUST be the Gateway Listener port.
- \n Implementations SHOULD NOT add the port number
- in the 'Location' header in the following cases:
- \n * A Location header that will use HTTP (whether
- that is determined via the Listener protocol or
- the Scheme field) _and_ use port 80. * A Location
- header that will use HTTPS (whether that is determined
- via the Listener protocol or the Scheme field) _and_
- use port 443. \n Support: Extended"
+ description: |-
+ Port is the port to be used in the value of the `Location`
+ header in the response.
+
+ If no port is specified, the redirect port MUST be derived using the
+ following rules:
+
+ * If redirect scheme is not-empty, the redirect port MUST be the well-known
+ port associated with the redirect scheme. Specifically "http" to port 80
+ and "https" to port 443. If the redirect scheme does not have a
+ well-known port, the listener port of the Gateway SHOULD be used.
+ * If redirect scheme is empty, the redirect port MUST be the Gateway
+ Listener port.
+
+ Implementations SHOULD NOT add the port number in the 'Location'
+ header in the following cases:
+
+ * A Location header that will use HTTP (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 80.
+ * A Location header that will use HTTPS (whether that is determined via
+ the Listener protocol or the Scheme field) _and_ use port 443.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
- description: "Scheme is the scheme to be used in the
- value of the `Location` header in the response.
- When empty, the scheme of the request is used. \n
- Scheme redirects can affect the port of the redirect,
- for more information, refer to the documentation
- for the port field of this filter. \n Note that
- values may be added to this enum, implementations
- must ensure that unknown values will not cause a
- crash. \n Unknown values here must result in the
- implementation setting the Accepted Condition for
- the Route to `status: False`, with a Reason of `UnsupportedValue`.
- \n Support: Extended"
+ description: |-
+ Scheme is the scheme to be used in the value of the `Location` header in
+ the response. When empty, the scheme of the request is used.
+
+ Scheme redirects can affect the port of the redirect, for more information,
+ refer to the documentation for the port field of this filter.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Extended
enum:
- http
- https
type: string
statusCode:
default: 302
- description: "StatusCode is the HTTP status code to
- be used in response. \n Note that values may be
- added to this enum, implementations must ensure
- that unknown values will not cause a crash. \n Unknown
- values here must result in the implementation setting
- the Accepted Condition for the Route to `status:
- False`, with a Reason of `UnsupportedValue`. \n
- Support: Core"
+ description: |-
+ StatusCode is the HTTP status code to be used in response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
+
+ Support: Core
enum:
- 301
- 302
type: integer
type: object
responseHeaderModifier:
- description: "ResponseHeaderModifier defines a schema
- for a filter that modifies response headers. \n Support:
- Extended"
+ description: |-
+ ResponseHeaderModifier defines a schema for a filter that modifies response
+ headers.
+
+ Support: Extended
properties:
add:
- description: "Add adds the given header(s) (name,
- value) to the request before the action. It appends
- to any existing values associated with the header
- name. \n Input: GET /foo HTTP/1.1 my-header: foo
- \n Config: add: - name: \"my-header\" value: \"bar,baz\"
- \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz"
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -8646,40 +11329,60 @@ spec:
- name
x-kubernetes-list-type: map
remove:
- description: "Remove the given header(s) from the
- HTTP request before the action. The value of Remove
- is a list of HTTP header names. Note that the header
- names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
- \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2:
- bar my-header3: baz \n Config: remove: [\"my-header1\",
- \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2:
- bar"
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
items:
type: string
maxItems: 16
type: array
x-kubernetes-list-type: set
set:
- description: "Set overwrites the request with the
- given header (name, value) before the action. \n
- Input: GET /foo HTTP/1.1 my-header: foo \n Config:
- set: - name: \"my-header\" value: \"bar\" \n Output:
- GET /foo HTTP/1.1 my-header: bar"
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
items:
description: HTTPHeader represents an HTTP Header
name and value as defined by RFC 7230.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case
- insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent
- header names, the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST
- be ignored. Due to the case-insensitivity
- of header names, \"foo\" and \"Foo\" are considered
- equivalent."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
@@ -8701,33 +11404,39 @@ spec:
x-kubernetes-list-type: map
type: object
type:
- description: "Type identifies the type of filter to apply.
- As with other API fields, types are classified into
- three conformance levels: \n - Core: Filter types and
- their corresponding configuration defined by \"Support:
- Core\" in this package, e.g. \"RequestHeaderModifier\".
- All implementations must support core filters. \n -
- Extended: Filter types and their corresponding configuration
- defined by \"Support: Extended\" in this package, e.g.
- \"RequestMirror\". Implementers are encouraged to support
- extended filters. \n - Implementation-specific: Filters
- that are defined and supported by specific vendors.
- In the future, filters showing convergence in behavior
- across multiple implementations will be considered for
- inclusion in extended or core conformance levels. Filter-specific
- configuration for such filters is specified using the
- ExtensionRef field. `Type` should be set to \"ExtensionRef\"
- for custom filters. \n Implementers are encouraged to
- define custom implementation types to extend the core
- API with implementation-specific behavior. \n If a reference
- to a custom filter type cannot be resolved, the filter
- MUST NOT be skipped. Instead, requests that would have
- been processed by that filter MUST receive a HTTP error
- response. \n Note that values may be added to this enum,
- implementations must ensure that unknown values will
- not cause a crash. \n Unknown values here must result
- in the implementation setting the Accepted Condition
- for the Route to `status: False`, with a Reason of `UnsupportedValue`."
+ description: |-
+ Type identifies the type of filter to apply. As with other API fields,
+ types are classified into three conformance levels:
+
+ - Core: Filter types and their corresponding configuration defined by
+ "Support: Core" in this package, e.g. "RequestHeaderModifier". All
+ implementations must support core filters.
+
+ - Extended: Filter types and their corresponding configuration defined by
+ "Support: Extended" in this package, e.g. "RequestMirror". Implementers
+ are encouraged to support extended filters.
+
+ - Implementation-specific: Filters that are defined and supported by
+ specific vendors.
+ In the future, filters showing convergence in behavior across multiple
+ implementations will be considered for inclusion in extended or core
+ conformance levels. Filter-specific configuration for such filters
+ is specified using the ExtensionRef field. `Type` should be set to
+ "ExtensionRef" for custom filters.
+
+ Implementers are encouraged to define custom implementation types to
+ extend the core API with implementation-specific behavior.
+
+ If a reference to a custom filter type cannot be resolved, the filter
+ MUST NOT be skipped. Instead, requests that would have been processed by
+ that filter MUST receive a HTTP error response.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- RequestHeaderModifier
- ResponseHeaderModifier
@@ -8737,73 +11446,64 @@ spec:
- ExtensionRef
type: string
urlRewrite:
- description: "URLRewrite defines a schema for a filter
- that modifies a request during forwarding. \n Support:
- Extended"
+ description: |-
+ URLRewrite defines a schema for a filter that modifies a request during forwarding.
+
+ Support: Extended
properties:
hostname:
- description: "Hostname is the value to be used to
- replace the Host header value during forwarding.
- \n Support: Extended"
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+
+ Support: Extended
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
- description: "Path defines a path rewrite. \n Support:
- Extended"
+ description: |-
+ Path defines a path rewrite.
+
+ Support: Extended
properties:
replaceFullPath:
- description: ReplaceFullPath specifies the value
- with which to replace the full path of a request
- during a rewrite or redirect.
+ description: |-
+ ReplaceFullPath specifies the value with which to replace the full path
+ of a request during a rewrite or redirect.
maxLength: 1024
type: string
replacePrefixMatch:
- description: "ReplacePrefixMatch specifies the
- value with which to replace the prefix match
- of a request during a rewrite or redirect. For
- example, a request to \"/foo/bar\" with a prefix
- match of \"/foo\" and a ReplacePrefixMatch of
- \"/xyz\" would be modified to \"/xyz/bar\".
- \n Note that this matches the behavior of the
- PathPrefix match type. This matches full path
- elements. A path element refers to the list
- of labels in the path split by the `/` separator.
- When specified, a trailing `/` is ignored. For
- example, the paths `/abc`, `/abc/`, and `/abc/def`
- would all match the prefix `/abc`, but the path
- `/abcd` would not. \n ReplacePrefixMatch is
- only compatible with a `PathPrefix` HTTPRouteMatch.
- Using any other HTTPRouteMatch type on the same
- HTTPRouteRule will result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`. \n Request Path | Prefix
- Match | Replace Prefix | Modified Path -------------|--------------|----------------|----------
- /foo/bar | /foo | /xyz |
- /xyz/bar /foo/bar | /foo | /xyz/
- \ | /xyz/bar /foo/bar | /foo/ |
- /xyz | /xyz/bar /foo/bar | /foo/
- \ | /xyz/ | /xyz/bar /foo |
- /foo | /xyz | /xyz /foo/ |
- /foo | /xyz | /xyz/ /foo/bar
- \ | /foo | | /bar
- /foo/ | /foo |
- | / /foo | /foo |
- | / /foo/ | /foo | / |
- / /foo | /foo | / |
- /"
+ description: |-
+ ReplacePrefixMatch specifies the value with which to replace the prefix
+ match of a request during a rewrite or redirect. For example, a request
+ to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch
+ of "/xyz" would be modified to "/xyz/bar".
+
+ Note that this matches the behavior of the PathPrefix match type. This
+ matches full path elements. A path element refers to the list of labels
+ in the path split by the `/` separator. When specified, a trailing `/` is
+ ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all
+ match the prefix `/abc`, but the path `/abcd` would not.
+
+ ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch.
+ Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in
+ the implementation setting the Accepted Condition for the Route to `status: False`.
+
+ Request Path | Prefix Match | Replace Prefix | Modified Path
maxLength: 1024
type: string
type:
- description: "Type defines the type of path modifier.
- Additional types may be added in a future release
- of the API. \n Note that values may be added
- to this enum, implementations must ensure that
- unknown values will not cause a crash. \n Unknown
- values here must result in the implementation
- setting the Accepted Condition for the Route
- to `status: False`, with a Reason of `UnsupportedValue`."
+ description: |-
+ Type defines the type of path modifier. Additional types may be
+ added in a future release of the API.
+
+ Note that values may be added to this enum, implementations
+ must ensure that unknown values will not cause a crash.
+
+ Unknown values here must result in the implementation setting the
+ Accepted Condition for the Route to `status: False`, with a
+ Reason of `UnsupportedValue`.
enum:
- ReplaceFullPath
- ReplacePrefixMatch
@@ -8896,86 +11596,116 @@ spec:
- path:
type: PathPrefix
value: /
- description: "Matches define conditions used for matching the
- rule against incoming HTTP requests. Each match is independent,
- i.e. this rule will be matched if **any** one of the matches
- is satisfied. \n For example, take the following matches configuration:
- \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\"
- value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request
- to match against this rule, a request must satisfy EITHER
- of the two conditions: \n - path prefixed with `/foo` AND
- contains the header `version: v2` - path prefix of `/v2/foo`
- \n See the documentation for HTTPRouteMatch on how to specify
- multiple match conditions that should be ANDed together. \n
- If no matches are specified, the default is a prefix path
- match on \"/\", which has the effect of matching every HTTP
- request. \n Proxy or Load Balancer routing configuration generated
- from HTTPRoutes MUST prioritize matches based on the following
- criteria, continuing on ties. Across all rules specified on
- applicable Routes, precedence must be given to the match having:
- \n * \"Exact\" path match. * \"Prefix\" path match with largest
- number of characters. * Method match. * Largest number of
- header matches. * Largest number of query param matches. \n
- Note: The precedence of RegularExpression path matches are
- implementation-specific. \n If ties still exist across multiple
- Routes, matching precedence MUST be determined in order of
- the following criteria, continuing on ties: \n * The oldest
- Route based on creation timestamp. * The Route appearing first
- in alphabetical order by \"{namespace}/{name}\". \n If ties
- still exist within an HTTPRoute, matching precedence MUST
- be granted to the FIRST matching rule (in list order) with
- a match meeting the above criteria. \n When no rules matching
- a request have been successfully attached to the parent a
- request is coming from, a HTTP 404 status code MUST be returned."
+ description: |-
+ Matches define conditions used for matching the rule against incoming
+ HTTP requests. Each match is independent, i.e. this rule will be matched
+ if **any** one of the matches is satisfied.
+
+ For example, take the following matches configuration:
+
+ ```
+ matches:
+ - path:
+ value: "/foo"
+ headers:
+ - name: "version"
+ value: "v2"
+ - path:
+ value: "/v2/foo"
+ ```
+
+ For a request to match against this rule, a request must satisfy
+ EITHER of the two conditions:
+
+ - path prefixed with `/foo` AND contains the header `version: v2`
+ - path prefix of `/v2/foo`
+
+ See the documentation for HTTPRouteMatch on how to specify multiple
+ match conditions that should be ANDed together.
+
+ If no matches are specified, the default is a prefix
+ path match on "/", which has the effect of matching every
+ HTTP request.
+
+ Proxy or Load Balancer routing configuration generated from HTTPRoutes
+ MUST prioritize matches based on the following criteria, continuing on
+ ties. Across all rules specified on applicable Routes, precedence must be
+ given to the match having:
+
+ * "Exact" path match.
+ * "Prefix" path match with largest number of characters.
+ * Method match.
+ * Largest number of header matches.
+ * Largest number of query param matches.
+
+ Note: The precedence of RegularExpression path matches are implementation-specific.
+
+ If ties still exist across multiple Routes, matching precedence MUST be
+ determined in order of the following criteria, continuing on ties:
+
+ * The oldest Route based on creation timestamp.
+ * The Route appearing first in alphabetical order by
+ "{namespace}/{name}".
+
+ If ties still exist within an HTTPRoute, matching precedence MUST be granted
+ to the FIRST matching rule (in list order) with a match meeting the above
+ criteria.
+
+ When no rules matching a request have been successfully attached to the
+ parent a request is coming from, a HTTP 404 status code MUST be returned.
items:
description: "HTTPRouteMatch defines the predicate used to
- match requests to a given action. Multiple match types are
- ANDed together, i.e. the match will evaluate to true only
- if all conditions are satisfied. \n For example, the match
- below will match a HTTP request only if its path starts
- with `/foo` AND it contains the `version: v1` header: \n
- ``` match: \n path: value: \"/foo\" headers: - name: \"version\"
- value \"v1\" \n ```"
+ match requests to a given\naction. Multiple match types
+ are ANDed together, i.e. the match will\nevaluate to true
+ only if all conditions are satisfied.\n\nFor example, the
+ match below will match a HTTP request only if its path\nstarts
+ with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t
+ \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t
+ \ value \"v1\"\n\n```"
properties:
headers:
- description: Headers specifies HTTP request header matchers.
- Multiple match values are ANDed together, meaning, a
- request must match all the specified headers to select
- the route.
+ description: |-
+ Headers specifies HTTP request header matchers. Multiple match values are
+ ANDed together, meaning, a request must match all the specified headers
+ to select the route.
items:
- description: HTTPHeaderMatch describes how to select
- a HTTP route by matching HTTP request headers.
+ description: |-
+ HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+ headers.
properties:
name:
- description: "Name is the name of the HTTP Header
- to be matched. Name matching MUST be case insensitive.
- (See https://tools.ietf.org/html/rfc7230#section-3.2).
- \n If multiple entries specify equivalent header
- names, only the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent header name MUST be
- ignored. Due to the case-insensitivity of header
- names, \"foo\" and \"Foo\" are considered equivalent.
- \n When a header is repeated in an HTTP request,
- it is implementation-specific behavior as to how
- this is represented. Generally, proxies should
- follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2
- regarding processing a repeated header, with special
- handling for \"Set-Cookie\"."
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+
+ When a header is repeated in an HTTP request, it is
+ implementation-specific behavior as to how this is represented.
+ Generally, proxies should follow the guidance from the RFC:
+ https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+ processing a repeated header, with special handling for "Set-Cookie".
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
- description: "Type specifies how to match against
- the value of the header. \n Support: Core (Exact)
- \n Support: Implementation-specific (RegularExpression)
- \n Since RegularExpression HeaderMatchType has
- implementation-specific conformance, implementations
- can support POSIX, PCRE or any other dialects
- of regular expressions. Please read the implementation's
- documentation to determine the supported dialect."
+ description: |-
+ Type specifies how to match against the value of the header.
+
+ Support: Core (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression HeaderMatchType has implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other dialects
+ of regular expressions. Please read the implementation's documentation to
+ determine the supported dialect.
enum:
- Exact
- RegularExpression
@@ -8996,9 +11726,12 @@ spec:
- name
x-kubernetes-list-type: map
method:
- description: "Method specifies HTTP method matcher. When
- specified, this route will be matched only if the request
- has the specified method. \n Support: Extended"
+ description: |-
+ Method specifies HTTP method matcher.
+ When specified, this route will be matched only if the request has the
+ specified method.
+
+ Support: Extended
enum:
- GET
- HEAD
@@ -9014,15 +11747,18 @@ spec:
default:
type: PathPrefix
value: /
- description: Path specifies a HTTP request path matcher.
- If this field is not specified, a default prefix match
- on the "/" path is provided.
+ description: |-
+ Path specifies a HTTP request path matcher. If this field is not
+ specified, a default prefix match on the "/" path is provided.
properties:
type:
default: PathPrefix
- description: "Type specifies how to match against
- the path Value. \n Support: Core (Exact, PathPrefix)
- \n Support: Implementation-specific (RegularExpression)"
+ description: |-
+ Type specifies how to match against the path Value.
+
+ Support: Core (Exact, PathPrefix)
+
+ Support: Implementation-specific (RegularExpression)
enum:
- Exact
- PathPrefix
@@ -9081,48 +11817,53 @@ spec:
rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""")
: true'
queryParams:
- description: "QueryParams specifies HTTP query parameter
- matchers. Multiple match values are ANDed together,
- meaning, a request must match all the specified query
- parameters to select the route. \n Support: Extended"
+ description: |-
+ QueryParams specifies HTTP query parameter matchers. Multiple match
+ values are ANDed together, meaning, a request must match all the
+ specified query parameters to select the route.
+
+ Support: Extended
items:
- description: HTTPQueryParamMatch describes how to select
- a HTTP route by matching HTTP query parameters.
+ description: |-
+ HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP
+ query parameters.
properties:
name:
- description: "Name is the name of the HTTP query
- param to be matched. This must be an exact string
- match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3).
- \n If multiple entries specify equivalent query
- param names, only the first entry with an equivalent
- name MUST be considered for a match. Subsequent
- entries with an equivalent query param name MUST
- be ignored. \n If a query param is repeated in
- an HTTP request, the behavior is purposely left
- undefined, since different data planes have different
- capabilities. However, it is *recommended* that
- implementations should match against the first
- value of the param if the data plane supports
- it, as this behavior is expected in other load
- balancing contexts outside of the Gateway API.
- \n Users SHOULD NOT route traffic based on repeated
- query params to guard themselves against potential
- differences in the implementations."
+ description: |-
+ Name is the name of the HTTP query param to be matched. This must be an
+ exact string match. (See
+ https://tools.ietf.org/html/rfc7230#section-2.7.3).
+
+ If multiple entries specify equivalent query param names, only the first
+ entry with an equivalent name MUST be considered for a match. Subsequent
+ entries with an equivalent query param name MUST be ignored.
+
+ If a query param is repeated in an HTTP request, the behavior is
+ purposely left undefined, since different data planes have different
+ capabilities. However, it is *recommended* that implementations should
+ match against the first value of the param if the data plane supports it,
+ as this behavior is expected in other load balancing contexts outside of
+ the Gateway API.
+
+ Users SHOULD NOT route traffic based on repeated query params to guard
+ themselves against potential differences in the implementations.
maxLength: 256
minLength: 1
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
- description: "Type specifies how to match against
- the value of the query parameter. \n Support:
- Extended (Exact) \n Support: Implementation-specific
- (RegularExpression) \n Since RegularExpression
- QueryParamMatchType has Implementation-specific
- conformance, implementations can support POSIX,
- PCRE or any other dialects of regular expressions.
- Please read the implementation's documentation
- to determine the supported dialect."
+ description: |-
+ Type specifies how to match against the value of the query parameter.
+
+ Support: Extended (Exact)
+
+ Support: Implementation-specific (RegularExpression)
+
+ Since RegularExpression QueryParamMatchType has Implementation-specific
+ conformance, implementations can support POSIX, PCRE or any other
+ dialects of regular expressions. Please read the implementation's
+ documentation to determine the supported dialect.
enum:
- Exact
- RegularExpression
@@ -9143,41 +11884,248 @@ spec:
- name
x-kubernetes-list-type: map
type: object
- maxItems: 8
+ maxItems: 64
type: array
+ name:
+ description: |
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ retry:
+ description: |+
+ Retry defines the configuration for when to retry an HTTP request.
+
+ Support: Extended
+
+ properties:
+ attempts:
+ description: |-
+ Attempts specifies the maxmimum number of times an individual request
+ from the gateway to a backend should be retried.
+
+ If the maximum number of retries has been attempted without a successful
+ response from the backend, the Gateway MUST return an error.
+
+ When this field is unspecified, the number of times to attempt to retry
+ a backend request is implementation-specific.
+
+ Support: Extended
+ type: integer
+ backoff:
+ description: |-
+ Backoff specifies the minimum duration a Gateway should wait between
+ retry attempts and is represented in Gateway API Duration formatting.
+
+ For example, setting the `rules[].retry.backoff` field to the value
+ `100ms` will cause a backend request to first be retried approximately
+ 100 milliseconds after timing out or receiving a response code configured
+ to be retryable.
+
+ An implementation MAY use an exponential or alternative backoff strategy
+ for subsequent retry attempts, MAY cap the maximum backoff duration to
+ some amount greater than the specified minimum, and MAY add arbitrary
+ jitter to stagger requests, as long as unsuccessful backend requests are
+ not retried before the configured minimum duration.
+
+ If a Request timeout (`rules[].timeouts.request`) is configured on the
+ route, the entire duration of the initial request and any retry attempts
+ MUST not exceed the Request timeout duration. If any retry attempts are
+ still in progress when the Request timeout duration has been reached,
+ these SHOULD be canceled if possible and the Gateway MUST immediately
+ return a timeout error.
+
+ If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is
+ configured on the route, any retry attempts which reach the configured
+ BackendRequest timeout duration without a response SHOULD be canceled if
+ possible and the Gateway should wait for at least the specified backoff
+ duration before attempting to retry the backend request again.
+
+ If a BackendRequest timeout is _not_ configured on the route, retry
+ attempts MAY time out after an implementation default duration, or MAY
+ remain pending until a configured Request timeout or implementation
+ default duration for total request time is reached.
+
+ When this field is unspecified, the time to wait between retry attempts
+ is implementation-specific.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ codes:
+ description: |-
+ Codes defines the HTTP response status codes for which a backend request
+ should be retried.
+
+ Support: Extended
+ items:
+ description: |-
+ HTTPRouteRetryStatusCode defines an HTTP response status code for
+ which a backend request should be retried.
+
+ Implementations MUST support the following status codes as retryable:
+
+ * 500
+ * 502
+ * 503
+ * 504
+
+ Implementations MAY support specifying additional discrete values in the
+ 500-599 range.
+
+ Implementations MAY support specifying discrete values in the 400-499 range,
+ which are often inadvisable to retry.
+
+
+ maximum: 599
+ minimum: 400
+ type: integer
+ type: array
+ type: object
+ sessionPersistence:
+ description: |+
+ SessionPersistence defines and configures session persistence
+ for the route rule.
+
+ Support: Extended
+
+ properties:
+ absoluteTimeout:
+ description: |-
+ AbsoluteTimeout defines the absolute timeout of the persistent
+ session. Once the AbsoluteTimeout duration has elapsed, the
+ session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ cookieConfig:
+ description: |-
+ CookieConfig provides configuration settings that are specific
+ to cookie-based session persistence.
+
+ Support: Core
+ properties:
+ lifetimeType:
+ default: Session
+ description: |-
+ LifetimeType specifies whether the cookie has a permanent or
+ session-based lifetime. A permanent cookie persists until its
+ specified expiry time, defined by the Expires or Max-Age cookie
+ attributes, while a session cookie is deleted when the current
+ session ends.
+
+ When set to "Permanent", AbsoluteTimeout indicates the
+ cookie's lifetime via the Expires or Max-Age cookie attributes
+ and is required.
+
+ When set to "Session", AbsoluteTimeout indicates the
+ absolute lifetime of the cookie tracked by the gateway and
+ is optional.
+
+ Support: Core for "Session" type
+
+ Support: Extended for "Permanent" type
+ enum:
+ - Permanent
+ - Session
+ type: string
+ type: object
+ idleTimeout:
+ description: |-
+ IdleTimeout defines the idle timeout of the persistent session.
+ Once the session has been idle for more than the specified
+ IdleTimeout duration, the session becomes invalid.
+
+ Support: Extended
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ sessionName:
+ description: |-
+ SessionName defines the name of the persistent session token
+ which may be reflected in the cookie or the header. Users
+ should avoid reusing session names to prevent unintended
+ consequences, such as rejection or unpredictable behavior.
+
+ Support: Implementation-specific
+ maxLength: 128
+ type: string
+ type:
+ default: Cookie
+ description: |-
+ Type defines the type of session persistence such as through
+ the use a header or cookie. Defaults to cookie based session
+ persistence.
+
+ Support: Core for "Cookie" type
+
+ Support: Extended for "Header" type
+ enum:
+ - Cookie
+ - Header
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: AbsoluteTimeout must be specified when cookie lifetimeType
+ is Permanent
+ rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType)
+ || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)'
timeouts:
- description: "Timeouts defines the timeouts that can be configured
- for an HTTP request. \n Support: Extended \n "
+ description: |-
+ Timeouts defines the timeouts that can be configured for an HTTP request.
+
+ Support: Extended
properties:
backendRequest:
- description: "BackendRequest specifies a timeout for an
- individual request from the gateway to a backend. This
- covers the time from when the request first starts being
- sent from the gateway to when the full response has been
- received from the backend. \n An entire client HTTP transaction
- with a gateway, covered by the Request timeout, may result
- in more than one call from the gateway to the destination
- backend, for example, if automatic retries are supported.
- \n Because the Request timeout encompasses the BackendRequest
- timeout, the value of BackendRequest must be <= the value
- of Request timeout. \n Support: Extended"
+ description: |-
+ BackendRequest specifies a timeout for an individual request from the gateway
+ to a backend. This covers the time from when the request first starts being
+ sent from the gateway to when the full response has been received from the backend.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ An entire client HTTP transaction with a gateway, covered by the Request timeout,
+ may result in more than one call from the gateway to the destination backend,
+ for example, if automatic retries are supported.
+
+ The value of BackendRequest must be a Gateway API Duration string as defined by
+ GEP-2257. When this field is unspecified, its behavior is implementation-specific;
+ when specified, the value of BackendRequest must be no more than the value of the
+ Request timeout (since the Request timeout encompasses the BackendRequest timeout).
+
+ Support: Extended
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
request:
- description: "Request specifies the maximum duration for
- a gateway to respond to an HTTP request. If the gateway
- has not been able to respond before this deadline is met,
- the gateway MUST return a timeout error. \n For example,
- setting the `rules.timeouts.request` field to the value
- `10s` in an `HTTPRoute` will cause a timeout if a client
- request is taking longer than 10 seconds to complete.
- \n This timeout is intended to cover as close to the whole
- request-response transaction as possible although an implementation
- MAY choose to start the timeout after the entire request
- stream has been received instead of immediately after
- the transaction is initiated by the client. \n When this
+ description: |-
+ Request specifies the maximum duration for a gateway to respond to an HTTP request.
+ If the gateway has not been able to respond before this deadline is met, the gateway
+ MUST return a timeout error.
+
+ For example, setting the `rules.timeouts.request` field to the value `10s` in an
+ `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds
+ to complete.
+
+ Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout
+ completely. Implementations that cannot completely disable the timeout MUST
+ instead interpret the zero duration as the longest possible value to which
+ the timeout can be set.
+
+ This timeout is intended to cover as close to the whole request-response transaction
+ as possible although an implementation MAY choose to start the timeout after the entire
+ request stream has been received instead of immediately after the transaction is
+ initiated by the client.
+
+ The value of Request is a Gateway API Duration string as defined by GEP-2257. When this
field is unspecified, request timeout behavior is implementation-specific.
- \n Support: Extended"
+
+ Support: Extended
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -9230,86 +12178,101 @@ spec:
!= ''PathPrefix'') ? false : true) : true'
maxItems: 16
type: array
+ x-kubernetes-validations:
+ - message: While 16 rules and 64 matches per rule are allowed, the
+ total number of matches across all rules in a route must be less
+ than 128
+ rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size()
+ > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size()
+ : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size()
+ > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size()
+ : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size()
+ > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size()
+ : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size()
+ > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size()
+ : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size()
+ > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size()
+ : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128'
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
type: object
status:
description: Status defines the current state of HTTPRoute.
properties:
parents:
- description: "Parents is a list of parent resources (usually Gateways)
- that are associated with the route, and the status of the route
- with respect to each parent. When this route attaches to a parent,
- the controller that manages the parent must add an entry to this
- list when the controller first sees the route and should update
- the entry as appropriate when the route or gateway is modified.
- \n Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this
- API can only populate Route status for the Gateways/parent resources
- they are responsible for. \n A maximum of 32 Gateways will be represented
- in this list. An empty list means the route has not been attached
- to any Gateway."
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
- description: RouteParentStatus describes the status of a route with
- respect to an associated Parent.
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
conditions:
- description: "Conditions describes the status of the route with
- respect to the Gateway. Note that the route's availability
- is also subject to the Gateway's own status conditions and
- listener status. \n If the Route's ParentRef specifies an
- existing Gateway that supports Routes of this kind AND that
- Gateway's controller has sufficient access, then that Gateway's
- controller MUST set the \"Accepted\" condition on the Route,
- to indicate whether the route has been accepted or rejected
- by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
- if at least one of the Route's rules is implemented by the
- Gateway. \n There are a number of cases where the \"Accepted\"
- condition may not be set due to lack of controller visibility,
- that includes when: \n * The Route refers to a non-existent
- parent. * The Route is of a type that the controller does
- not support. * The Route is in a namespace the controller
- does not have access to."
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -9324,11 +12287,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -9346,131 +12304,154 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
- description: ParentRef corresponds with a ParentRef in the spec
- that this RouteParentStatus struct describes the status of.
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -9491,7 +12472,7 @@ spec:
- spec
type: object
served: true
- storage: true
+ storage: false
subresources:
status: {}
status:
@@ -9508,8 +12489,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: referencegrants.gateway.networking.k8s.io
@@ -9526,138 +12507,6 @@ spec:
singular: referencegrant
scope: Namespaced
versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: Age
- type: date
- deprecated: true
- deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated
- and will be removed in a future release of the API. Please upgrade to v1beta1.
- name: v1alpha2
- schema:
- openAPIV3Schema:
- description: "ReferenceGrant identifies kinds of resources in other namespaces
- that are trusted to reference the specified kinds of resources in the same
- namespace as the policy. \n Each ReferenceGrant can be used to represent
- a unique trust relationship. Additional Reference Grants can be used to
- add to the set of trusted sources of inbound references for the namespace
- they are defined within. \n A ReferenceGrant is required for all cross-namespace
- references in Gateway API (with the exception of cross-namespace Route-Gateway
- attachment, which is governed by the AllowedRoutes configuration on the
- Gateway, and cross-namespace Service ParentRefs on a \"consumer\" mesh Route,
- which defines routing rules applicable only to workloads in the Route namespace).
- ReferenceGrants allowing a reference from a Route to a Service are only
- applicable to BackendRefs. \n ReferenceGrant is a form of runtime verification
- allowing users to assert which cross-namespace object references are permitted.
- Implementations that support ReferenceGrant MUST NOT permit cross-namespace
- references which have no grant, and MUST respond to the removal of a grant
- by revoking the access that the grant allowed."
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Spec defines the desired state of ReferenceGrant.
- properties:
- from:
- description: "From describes the trusted namespaces and kinds that
- can reference the resources described in \"To\". Each entry in this
- list MUST be considered to be an additional place that references
- can be valid from, or to put this another way, entries MUST be combined
- using OR. \n Support: Core"
- items:
- description: ReferenceGrantFrom describes trusted namespaces and
- kinds.
- properties:
- group:
- description: "Group is the group of the referent. When empty,
- the Kubernetes core API group is inferred. \n Support: Core"
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: "Kind is the kind of the referent. Although implementations
- may support additional resources, the following types are
- part of the \"Core\" support level for this field. \n When
- used to permit a SecretObjectReference: \n * Gateway \n When
- used to permit a BackendObjectReference: \n * GRPCRoute *
- HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- namespace:
- description: "Namespace is the namespace of the referent. \n
- Support: Core"
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - group
- - kind
- - namespace
- type: object
- maxItems: 16
- minItems: 1
- type: array
- to:
- description: "To describes the resources that may be referenced by
- the resources described in \"From\". Each entry in this list MUST
- be considered to be an additional place that references can be valid
- to, or to put this another way, entries MUST be combined using OR.
- \n Support: Core"
- items:
- description: ReferenceGrantTo describes what Kinds are allowed as
- targets of the references.
- properties:
- group:
- description: "Group is the group of the referent. When empty,
- the Kubernetes core API group is inferred. \n Support: Core"
- maxLength: 253
- pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- kind:
- description: "Kind is the kind of the referent. Although implementations
- may support additional resources, the following types are
- part of the \"Core\" support level for this field: \n * Secret
- when used to permit a SecretObjectReference * Service when
- used to permit a BackendObjectReference"
- maxLength: 63
- minLength: 1
- pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
- type: string
- name:
- description: Name is the name of the referent. When unspecified,
- this policy refers to all resources of the specified Group
- and Kind in the local namespace.
- maxLength: 253
- minLength: 1
- type: string
- required:
- - group
- - kind
- type: object
- maxItems: 16
- minItems: 1
- type: array
- required:
- - from
- - to
- type: object
- type: object
- served: true
- storage: false
- subresources: {}
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
@@ -9665,28 +12514,38 @@ spec:
name: v1beta1
schema:
openAPIV3Schema:
- description: "ReferenceGrant identifies kinds of resources in other namespaces
- that are trusted to reference the specified kinds of resources in the same
- namespace as the policy. \n Each ReferenceGrant can be used to represent
- a unique trust relationship. Additional Reference Grants can be used to
- add to the set of trusted sources of inbound references for the namespace
- they are defined within. \n All cross-namespace references in Gateway API
- (with the exception of cross-namespace Gateway-route attachment) require
- a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing
- users to assert which cross-namespace object references are permitted. Implementations
- that support ReferenceGrant MUST NOT permit cross-namespace references which
- have no grant, and MUST respond to the removal of a grant by revoking the
- access that the grant allowed."
+ description: |-
+ ReferenceGrant identifies kinds of resources in other namespaces that are
+ trusted to reference the specified kinds of resources in the same namespace
+ as the policy.
+
+ Each ReferenceGrant can be used to represent a unique trust relationship.
+ Additional Reference Grants can be used to add to the set of trusted
+ sources of inbound references for the namespace they are defined within.
+
+ All cross-namespace references in Gateway API (with the exception of cross-namespace
+ Gateway-route attachment) require a ReferenceGrant.
+
+ ReferenceGrant is a form of runtime verification allowing users to assert
+ which cross-namespace object references are permitted. Implementations that
+ support ReferenceGrant MUST NOT permit cross-namespace references which have
+ no grant, and MUST respond to the removal of a grant by revoking the access
+ that the grant allowed.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9694,35 +12553,52 @@ spec:
description: Spec defines the desired state of ReferenceGrant.
properties:
from:
- description: "From describes the trusted namespaces and kinds that
- can reference the resources described in \"To\". Each entry in this
- list MUST be considered to be an additional place that references
- can be valid from, or to put this another way, entries MUST be combined
- using OR. \n Support: Core"
+ description: |-
+ From describes the trusted namespaces and kinds that can reference the
+ resources described in "To". Each entry in this list MUST be considered
+ to be an additional place that references can be valid from, or to put
+ this another way, entries MUST be combined using OR.
+
+ Support: Core
items:
description: ReferenceGrantFrom describes trusted namespaces and
kinds.
properties:
group:
- description: "Group is the group of the referent. When empty,
- the Kubernetes core API group is inferred. \n Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
- description: "Kind is the kind of the referent. Although implementations
- may support additional resources, the following types are
- part of the \"Core\" support level for this field. \n When
- used to permit a SecretObjectReference: \n * Gateway \n When
- used to permit a BackendObjectReference: \n * GRPCRoute *
- HTTPRoute * TCPRoute * TLSRoute * UDPRoute"
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field.
+
+ When used to permit a SecretObjectReference:
+
+ * Gateway
+
+ When used to permit a BackendObjectReference:
+
+ * GRPCRoute
+ * HTTPRoute
+ * TCPRoute
+ * TLSRoute
+ * UDPRoute
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
namespace:
- description: "Namespace is the namespace of the referent. \n
- Support: Core"
+ description: |-
+ Namespace is the namespace of the referent.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -9736,35 +12612,44 @@ spec:
minItems: 1
type: array
to:
- description: "To describes the resources that may be referenced by
- the resources described in \"From\". Each entry in this list MUST
- be considered to be an additional place that references can be valid
- to, or to put this another way, entries MUST be combined using OR.
- \n Support: Core"
+ description: |-
+ To describes the resources that may be referenced by the resources
+ described in "From". Each entry in this list MUST be considered to be an
+ additional place that references can be valid to, or to put this another
+ way, entries MUST be combined using OR.
+
+ Support: Core
items:
- description: ReferenceGrantTo describes what Kinds are allowed as
- targets of the references.
+ description: |-
+ ReferenceGrantTo describes what Kinds are allowed as targets of the
+ references.
properties:
group:
- description: "Group is the group of the referent. When empty,
- the Kubernetes core API group is inferred. \n Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When empty, the Kubernetes core API group is inferred.
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
- description: "Kind is the kind of the referent. Although implementations
- may support additional resources, the following types are
- part of the \"Core\" support level for this field: \n * Secret
- when used to permit a SecretObjectReference * Service when
- used to permit a BackendObjectReference"
+ description: |-
+ Kind is the kind of the referent. Although implementations may support
+ additional resources, the following types are part of the "Core"
+ support level for this field:
+
+ * Secret when used to permit a SecretObjectReference
+ * Service when used to permit a BackendObjectReference
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: Name is the name of the referent. When unspecified,
- this policy refers to all resources of the specified Group
- and Kind in the local namespace.
+ description: |-
+ Name is the name of the referent. When unspecified, this policy
+ refers to all resources of the specified Group and Kind in the local
+ namespace.
maxLength: 253
minLength: 1
type: string
@@ -9797,8 +12682,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tcproutes.gateway.networking.k8s.io
@@ -9820,19 +12705,25 @@ spec:
name: v1alpha2
schema:
openAPIV3Schema:
- description: TCPRoute provides a way to route TCP requests. When combined
- with a Gateway listener, it can be used to forward connections on the port
- specified by the listener to a set of backends specified by the TCPRoute.
+ description: |-
+ TCPRoute provides a way to route TCP requests. When combined with a Gateway
+ listener, it can be used to forward connections on the port specified by the
+ listener to a set of backends specified by the TCPRoute.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -9840,165 +12731,213 @@ spec:
description: Spec defines the desired state of TCPRoute.
properties:
parentRefs:
- description: "ParentRefs references the resources (usually Gateways)
- that a Route wants to be attached to. Note that the referenced parent
- resource needs to allow this for the attachment to be complete.
- For Gateways, that means the Gateway needs to allow attachment from
- Routes of this kind and namespace. For Services, that means the
- Service must either be in the same namespace for a \"producer\"
- route, or the mesh implementation must support and allow \"consumer\"
- routes for the referenced Service. ReferenceGrant is not applicable
- for governing ParentRefs to Services - it is not possible to create
- a \"producer\" route for a Service in a different namespace from
- the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) This
- API may be extended in the future to support additional kinds of
- parent resources. \n ParentRefs must be _distinct_. This means either
- that: \n * They select different objects. If this is the case,
- then parentRef entries are distinct. In terms of fields, this means
- that the multi-part key defined by `group`, `kind`, `namespace`,
- and `name` must be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field
- used, each ParentRef that selects the same object must set the same
- set of optional fields to different values. If one ParentRef sets
- a combination of optional fields, all must set the same combination.
- \n Some examples: \n * If one ParentRef sets `sectionName`, all
- ParentRefs referencing the same object must also set `sectionName`.
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`. * If one ParentRef sets `sectionName`
- and `port`, all ParentRefs referencing the same object must also
- set `sectionName` and `port`. \n It is possible to separately reference
- multiple distinct objects that may be collapsed by an implementation.
- For example, some implementations may choose to merge compatible
- Gateway Listeners together. If that is the case, the list of routes
- attached to those resources should also be merged. \n Note that
- for ParentRefs that cross namespace boundaries, there are specific
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For
- example, Gateway has the AllowedRoutes field, and ReferenceGrant
- provides a generic way to enable other kinds of cross-namespace
- reference. \n ParentRefs from a Route to a Service in the same
- namespace are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for which the
- intended destination of the connections are a Service targeted as
- a ParentRef of the Route. \n "
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
items:
- description: "ParentReference identifies an API object (usually
- a Gateway) that can be considered a parent of this resource (usually
- a route). There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service
- (Mesh conformance profile, experimental, ClusterIP Services only)
- \n This API may be extended in the future to support additional
- kinds of parent resources. \n The API object must be valid in
- the cluster; the Group and Kind must be registered in the cluster
- for this reference to be valid."
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the core
- API group (such as for a \"Service\" kind referent), Group
- must be explicitly set to \"\" (empty string). \n Support:
- Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are two
- kinds of parent resources with \"Core\" support: \n * Gateway
- (Gateway conformance profile) * Service (Mesh conformance
- profile, experimental, ClusterIP Services only) \n Support
- for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent. When
- unspecified, this refers to the local namespace of the Route.
- \n Note that there are specific rules for ParentRefs which
- cross namespace boundaries. Cross-namespace references are
- only valid if they are explicitly allowed by something in
- the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides a
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service.
- \n ParentRefs from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same
- namespace as the Route, for which the intended destination
- of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets. It
- can be interpreted differently based on the type of parent
- resource. \n When the parent resource is a Gateway, this targets
- all listeners listening on the specified port that also support
- this kind of Route(and select this Route). It's not recommended
- to set `Port` unless the networking behaviors specified in
- a Route must apply to a specific port as opposed to a listener(s)
- whose port(s) may be changed. When both Port and SectionName
- are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
- is a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes can
- attach to them by Route kind, namespace, or hostname. If 1
- of 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway. \n
- Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within the
- target resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match both
- specified values. * Service: Port Name. When both Port (experimental)
- and SectionName are specified, the name and port of the selected
- listener must match both specified values. Note that attaching
- Routes to Services as Parents is part of experimental Mesh
- support and is not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this will
- reference the entire resource. For the purpose of status,
- an attachment is considered successful if at least one section
- in the parent resource accepts it. For example, Gateway listeners
- can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept
- attachment from the referencing Route, the Route MUST be considered
- successfully attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -10032,67 +12971,85 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: Rules are a list of TCP matchers and actions.
+ description: |+
+ Rules are a list of TCP matchers and actions.
+
items:
description: TCPRouteRule is the configuration for a given rule.
properties:
backendRefs:
- description: "BackendRefs defines the backend(s) where matching
- requests should be sent. If unspecified or invalid (refers
- to a non-existent resource or a Service with no endpoints),
- the underlying implementation MUST actively reject connection
- attempts to this backend. Connection rejections must respect
- weight; if an invalid backend is requested to have 80% of
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a non-existent resource or a
+ Service with no endpoints), the underlying implementation MUST actively
+ reject connection attempts to this backend. Connection rejections must
+ respect weight; if an invalid backend is requested to have 80% of
connections, then 80% of connections must be rejected instead.
- \n Support: Core for Kubernetes Service \n Support: Extended
- for Kubernetes ServiceImport \n Support: Implementation-specific
- for any other resource \n Support for weight: Extended"
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Extended
items:
- description: "BackendRef defines how a Route should forward
- a request to a Kubernetes resource. \n Note that when a
- namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace
- to allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details. \n
- \n When the BackendRef points to a Kubernetes Service, implementations
- SHOULD honor the appProtocol field if it is set for the
- target Service Port. \n Implementations supporting appProtocol
- SHOULD recognize the Kubernetes Standard Application Protocols
- defined in KEP-3726. \n If a Service appProtocol isn't specified,
- an implementation MAY infer the backend protocol through
- its own means. Implementations MAY infer the protocol from
- the Route type referring to the backend Service. \n If a
- Route is not able to send traffic to the backend using the
- specified protocol then the backend is considered invalid.
- Implementations MUST set the \"ResolvedRefs\" condition
- to \"False\" with the \"UnsupportedProtocol\" reason. \n
- \n Note that when the
- BackendTLSPolicy object is enabled by the implementation,
- there are some extra rules about validity to consider here.
- See the fields where this struct is used for more information
- about the exact behavior."
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -10103,43 +13060,47 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
- description: "Weight specifies the proportion of requests
- forwarded to the referenced backend. This is computed
- as weight/(sum of all weights in this BackendRefs list).
- For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision
- an implementation supports. Weight is not a percentage
- and the sum of weights does not need to equal 100. \n
- If only one backend is specified and it has a weight
- greater than 0, 100% of the traffic is forwarded to
- that backend. If weight is set to 0, no traffic should
- be forwarded for this entry. If unspecified, weight
- defaults to 1. \n Support for this field varies based
- on the context where used."
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
@@ -10154,10 +13115,23 @@ spec:
maxItems: 16
minItems: 1
type: array
+ name:
+ description: |-
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
type: object
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-validations:
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
required:
- rules
type: object
@@ -10165,81 +13139,78 @@ spec:
description: Status defines the current state of TCPRoute.
properties:
parents:
- description: "Parents is a list of parent resources (usually Gateways)
- that are associated with the route, and the status of the route
- with respect to each parent. When this route attaches to a parent,
- the controller that manages the parent must add an entry to this
- list when the controller first sees the route and should update
- the entry as appropriate when the route or gateway is modified.
- \n Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this
- API can only populate Route status for the Gateways/parent resources
- they are responsible for. \n A maximum of 32 Gateways will be represented
- in this list. An empty list means the route has not been attached
- to any Gateway."
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
- description: RouteParentStatus describes the status of a route with
- respect to an associated Parent.
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
conditions:
- description: "Conditions describes the status of the route with
- respect to the Gateway. Note that the route's availability
- is also subject to the Gateway's own status conditions and
- listener status. \n If the Route's ParentRef specifies an
- existing Gateway that supports Routes of this kind AND that
- Gateway's controller has sufficient access, then that Gateway's
- controller MUST set the \"Accepted\" condition on the Route,
- to indicate whether the route has been accepted or rejected
- by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
- if at least one of the Route's rules is implemented by the
- Gateway. \n There are a number of cases where the \"Accepted\"
- condition may not be set due to lack of controller visibility,
- that includes when: \n * The Route refers to a non-existent
- parent. * The Route is of a type that the controller does
- not support. * The Route is in a namespace the controller
- does not have access to."
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -10254,11 +13225,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -10276,131 +13242,154 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
- description: ParentRef corresponds with a ParentRef in the spec
- that this RouteParentStatus struct describes the status of.
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -10438,8 +13427,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: tlsroutes.gateway.networking.k8s.io
@@ -10461,21 +13450,28 @@ spec:
name: v1alpha2
schema:
openAPIV3Schema:
- description: "The TLSRoute resource is similar to TCPRoute, but can be configured
- to match against TLS-specific metadata. This allows more flexibility in
- matching streams for a given TLS listener. \n If you need to forward traffic
- to a single target for a TLS listener, you could choose to use a TCPRoute
- with a TLS listener."
+ description: |-
+ The TLSRoute resource is similar to TCPRoute, but can be configured
+ to match against TLS-specific metadata. This allows more flexibility
+ in matching streams for a given TLS listener.
+
+ If you need to forward traffic to a single target for a TLS listener, you
+ could choose to use a TCPRoute with a TLS listener.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -10483,43 +13479,56 @@ spec:
description: Spec defines the desired state of TLSRoute.
properties:
hostnames:
- description: "Hostnames defines a set of SNI names that should match
- against the SNI attribute of TLS ClientHello message in TLS handshake.
- This matches the RFC 1123 definition of a hostname with 2 notable
- exceptions: \n 1. IPs are not allowed in SNI names per RFC 6066.
- 2. A hostname may be prefixed with a wildcard label (`*.`). The
- wildcard label must appear by itself as the first label. \n If a
- hostname is specified by both the Listener and TLSRoute, there must
- be at least one intersecting hostname for the TLSRoute to be attached
- to the Listener. For example: \n * A Listener with `test.example.com`
- as the hostname matches TLSRoutes that have either not specified
- any hostnames, or have specified at least one of `test.example.com`
- or `*.example.com`. * A Listener with `*.example.com` as the hostname
- matches TLSRoutes that have either not specified any hostnames or
- have specified at least one hostname that matches the Listener hostname.
- For example, `test.example.com` and `*.example.com` would both match.
- On the other hand, `example.com` and `test.example.net` would not
- match. \n If both the Listener and TLSRoute have specified hostnames,
- any TLSRoute hostnames that do not match the Listener hostname MUST
- be ignored. For example, if a Listener specified `*.example.com`,
- and the TLSRoute specified `test.example.com` and `test.example.net`,
- `test.example.net` must not be considered for a match. \n If both
- the Listener and TLSRoute have specified hostnames, and none match
- with the criteria above, then the TLSRoute is not accepted. The
- implementation must raise an 'Accepted' Condition with a status
- of `False` in the corresponding RouteParentStatus. \n Support: Core"
+ description: |-
+ Hostnames defines a set of SNI names that should match against the
+ SNI attribute of TLS ClientHello message in TLS handshake. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed in SNI names per RFC 6066.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ If a hostname is specified by both the Listener and TLSRoute, there
+ must be at least one intersecting hostname for the TLSRoute to be
+ attached to the Listener. For example:
+
+ * A Listener with `test.example.com` as the hostname matches TLSRoutes
+ that have either not specified any hostnames, or have specified at
+ least one of `test.example.com` or `*.example.com`.
+ * A Listener with `*.example.com` as the hostname matches TLSRoutes
+ that have either not specified any hostnames or have specified at least
+ one hostname that matches the Listener hostname. For example,
+ `test.example.com` and `*.example.com` would both match. On the other
+ hand, `example.com` and `test.example.net` would not match.
+
+ If both the Listener and TLSRoute have specified hostnames, any
+ TLSRoute hostnames that do not match the Listener hostname MUST be
+ ignored. For example, if a Listener specified `*.example.com`, and the
+ TLSRoute specified `test.example.com` and `test.example.net`,
+ `test.example.net` must not be considered for a match.
+
+ If both the Listener and TLSRoute have specified hostnames, and none
+ match with the criteria above, then the TLSRoute is not accepted. The
+ implementation must raise an 'Accepted' Condition with a status of
+ `False` in the corresponding RouteParentStatus.
+
+ Support: Core
items:
- description: "Hostname is the fully qualified domain name of a network
- host. This matches the RFC 1123 definition of a hostname with
- 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname
- may be prefixed with a wildcard label (`*.`). The wildcard label
- must appear by itself as the first label. \n Hostname can be \"precise\"
- which is a domain name without the terminating dot of a network
- host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain
- name prefixed with a single wildcard label (e.g. `*.example.com`).
- \n Note that as per RFC1035 and RFC1123, a *label* must consist
- of lower case alphanumeric characters or '-', and must start and
- end with an alphanumeric character. No other punctuation is allowed."
+ description: |-
+ Hostname is the fully qualified domain name of a network host. This matches
+ the RFC 1123 definition of a hostname with 2 notable exceptions:
+
+ 1. IPs are not allowed.
+ 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard
+ label must appear by itself as the first label.
+
+ Hostname can be "precise" which is a domain name without the terminating
+ dot of a network host (e.g. "foo.example.com") or "wildcard", which is a
+ domain name prefixed with a single wildcard label (e.g. `*.example.com`).
+
+ Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
+ alphanumeric characters or '-', and must start and end with an alphanumeric
+ character. No other punctuation is allowed.
maxLength: 253
minLength: 1
pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -10527,165 +13536,213 @@ spec:
maxItems: 16
type: array
parentRefs:
- description: "ParentRefs references the resources (usually Gateways)
- that a Route wants to be attached to. Note that the referenced parent
- resource needs to allow this for the attachment to be complete.
- For Gateways, that means the Gateway needs to allow attachment from
- Routes of this kind and namespace. For Services, that means the
- Service must either be in the same namespace for a \"producer\"
- route, or the mesh implementation must support and allow \"consumer\"
- routes for the referenced Service. ReferenceGrant is not applicable
- for governing ParentRefs to Services - it is not possible to create
- a \"producer\" route for a Service in a different namespace from
- the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) This
- API may be extended in the future to support additional kinds of
- parent resources. \n ParentRefs must be _distinct_. This means either
- that: \n * They select different objects. If this is the case,
- then parentRef entries are distinct. In terms of fields, this means
- that the multi-part key defined by `group`, `kind`, `namespace`,
- and `name` must be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field
- used, each ParentRef that selects the same object must set the same
- set of optional fields to different values. If one ParentRef sets
- a combination of optional fields, all must set the same combination.
- \n Some examples: \n * If one ParentRef sets `sectionName`, all
- ParentRefs referencing the same object must also set `sectionName`.
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`. * If one ParentRef sets `sectionName`
- and `port`, all ParentRefs referencing the same object must also
- set `sectionName` and `port`. \n It is possible to separately reference
- multiple distinct objects that may be collapsed by an implementation.
- For example, some implementations may choose to merge compatible
- Gateway Listeners together. If that is the case, the list of routes
- attached to those resources should also be merged. \n Note that
- for ParentRefs that cross namespace boundaries, there are specific
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For
- example, Gateway has the AllowedRoutes field, and ReferenceGrant
- provides a generic way to enable other kinds of cross-namespace
- reference. \n ParentRefs from a Route to a Service in the same
- namespace are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for which the
- intended destination of the connections are a Service targeted as
- a ParentRef of the Route. \n "
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
items:
- description: "ParentReference identifies an API object (usually
- a Gateway) that can be considered a parent of this resource (usually
- a route). There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service
- (Mesh conformance profile, experimental, ClusterIP Services only)
- \n This API may be extended in the future to support additional
- kinds of parent resources. \n The API object must be valid in
- the cluster; the Group and Kind must be registered in the cluster
- for this reference to be valid."
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the core
- API group (such as for a \"Service\" kind referent), Group
- must be explicitly set to \"\" (empty string). \n Support:
- Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are two
- kinds of parent resources with \"Core\" support: \n * Gateway
- (Gateway conformance profile) * Service (Mesh conformance
- profile, experimental, ClusterIP Services only) \n Support
- for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent. When
- unspecified, this refers to the local namespace of the Route.
- \n Note that there are specific rules for ParentRefs which
- cross namespace boundaries. Cross-namespace references are
- only valid if they are explicitly allowed by something in
- the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides a
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service.
- \n ParentRefs from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same
- namespace as the Route, for which the intended destination
- of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets. It
- can be interpreted differently based on the type of parent
- resource. \n When the parent resource is a Gateway, this targets
- all listeners listening on the specified port that also support
- this kind of Route(and select this Route). It's not recommended
- to set `Port` unless the networking behaviors specified in
- a Route must apply to a specific port as opposed to a listener(s)
- whose port(s) may be changed. When both Port and SectionName
- are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
- is a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes can
- attach to them by Route kind, namespace, or hostname. If 1
- of 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway. \n
- Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within the
- target resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match both
- specified values. * Service: Port Name. When both Port (experimental)
- and SectionName are specified, the name and port of the selected
- listener must match both specified values. Note that attaching
- Routes to Services as Parents is part of experimental Mesh
- support and is not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this will
- reference the entire resource. For the purpose of status,
- an attachment is considered successful if at least one section
- in the parent resource accepts it. For example, Gateway listeners
- can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept
- attachment from the referencing Route, the Route MUST be considered
- successfully attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -10719,70 +13776,88 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: Rules are a list of TLS matchers and actions.
+ description: |+
+ Rules are a list of TLS matchers and actions.
+
items:
description: TLSRouteRule is the configuration for a given rule.
properties:
backendRefs:
- description: "BackendRefs defines the backend(s) where matching
- requests should be sent. If unspecified or invalid (refers
- to a non-existent resource or a Service with no endpoints),
- the rule performs no forwarding; if no filters are specified
- that would result in a response being sent, the underlying
- implementation must actively reject request attempts to this
- backend, by rejecting the connection or returning a 500 status
- code. Request rejections must respect weight; if an invalid
- backend is requested to have 80% of requests, then 80% of
- requests must be rejected instead. \n Support: Core for Kubernetes
- Service \n Support: Extended for Kubernetes ServiceImport
- \n Support: Implementation-specific for any other resource
- \n Support for weight: Extended"
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a non-existent resource or
+ a Service with no endpoints), the rule performs no forwarding; if no
+ filters are specified that would result in a response being sent, the
+ underlying implementation must actively reject request attempts to this
+ backend, by rejecting the connection or returning a 500 status code.
+ Request rejections must respect weight; if an invalid backend is
+ requested to have 80% of requests, then 80% of requests must be rejected
+ instead.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Extended
items:
- description: "BackendRef defines how a Route should forward
- a request to a Kubernetes resource. \n Note that when a
- namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace
- to allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details. \n
- \n When the BackendRef points to a Kubernetes Service, implementations
- SHOULD honor the appProtocol field if it is set for the
- target Service Port. \n Implementations supporting appProtocol
- SHOULD recognize the Kubernetes Standard Application Protocols
- defined in KEP-3726. \n If a Service appProtocol isn't specified,
- an implementation MAY infer the backend protocol through
- its own means. Implementations MAY infer the protocol from
- the Route type referring to the backend Service. \n If a
- Route is not able to send traffic to the backend using the
- specified protocol then the backend is considered invalid.
- Implementations MUST set the \"ResolvedRefs\" condition
- to \"False\" with the \"UnsupportedProtocol\" reason. \n
- \n Note that when the
- BackendTLSPolicy object is enabled by the implementation,
- there are some extra rules about validity to consider here.
- See the fields where this struct is used for more information
- about the exact behavior."
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -10793,43 +13868,47 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
- description: "Weight specifies the proportion of requests
- forwarded to the referenced backend. This is computed
- as weight/(sum of all weights in this BackendRefs list).
- For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision
- an implementation supports. Weight is not a percentage
- and the sum of weights does not need to equal 100. \n
- If only one backend is specified and it has a weight
- greater than 0, 100% of the traffic is forwarded to
- that backend. If weight is set to 0, no traffic should
- be forwarded for this entry. If unspecified, weight
- defaults to 1. \n Support for this field varies based
- on the context where used."
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
@@ -10844,10 +13923,23 @@ spec:
maxItems: 16
minItems: 1
type: array
+ name:
+ description: |-
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
type: object
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-validations:
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
required:
- rules
type: object
@@ -10855,81 +13947,78 @@ spec:
description: Status defines the current state of TLSRoute.
properties:
parents:
- description: "Parents is a list of parent resources (usually Gateways)
- that are associated with the route, and the status of the route
- with respect to each parent. When this route attaches to a parent,
- the controller that manages the parent must add an entry to this
- list when the controller first sees the route and should update
- the entry as appropriate when the route or gateway is modified.
- \n Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this
- API can only populate Route status for the Gateways/parent resources
- they are responsible for. \n A maximum of 32 Gateways will be represented
- in this list. An empty list means the route has not been attached
- to any Gateway."
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
- description: RouteParentStatus describes the status of a route with
- respect to an associated Parent.
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
conditions:
- description: "Conditions describes the status of the route with
- respect to the Gateway. Note that the route's availability
- is also subject to the Gateway's own status conditions and
- listener status. \n If the Route's ParentRef specifies an
- existing Gateway that supports Routes of this kind AND that
- Gateway's controller has sufficient access, then that Gateway's
- controller MUST set the \"Accepted\" condition on the Route,
- to indicate whether the route has been accepted or rejected
- by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
- if at least one of the Route's rules is implemented by the
- Gateway. \n There are a number of cases where the \"Accepted\"
- condition may not be set due to lack of controller visibility,
- that includes when: \n * The Route refers to a non-existent
- parent. * The Route is of a type that the controller does
- not support. * The Route is in a namespace the controller
- does not have access to."
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -10944,11 +14033,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -10966,131 +14050,154 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
- description: ParentRef corresponds with a ParentRef in the spec
- that this RouteParentStatus struct describes the status of.
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -11128,8 +14235,8 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2466
- gateway.networking.k8s.io/bundle-version: v1.0.0
+ api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328
+ gateway.networking.k8s.io/bundle-version: v1.2.0
gateway.networking.k8s.io/channel: experimental
creationTimestamp: null
name: udproutes.gateway.networking.k8s.io
@@ -11151,19 +14258,25 @@ spec:
name: v1alpha2
schema:
openAPIV3Schema:
- description: UDPRoute provides a way to route UDP traffic. When combined with
- a Gateway listener, it can be used to forward traffic on the port specified
- by the listener to a set of backends specified by the UDPRoute.
+ description: |-
+ UDPRoute provides a way to route UDP traffic. When combined with a Gateway
+ listener, it can be used to forward traffic on the port specified by the
+ listener to a set of backends specified by the UDPRoute.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -11171,165 +14284,213 @@ spec:
description: Spec defines the desired state of UDPRoute.
properties:
parentRefs:
- description: "ParentRefs references the resources (usually Gateways)
- that a Route wants to be attached to. Note that the referenced parent
- resource needs to allow this for the attachment to be complete.
- For Gateways, that means the Gateway needs to allow attachment from
- Routes of this kind and namespace. For Services, that means the
- Service must either be in the same namespace for a \"producer\"
- route, or the mesh implementation must support and allow \"consumer\"
- routes for the referenced Service. ReferenceGrant is not applicable
- for governing ParentRefs to Services - it is not possible to create
- a \"producer\" route for a Service in a different namespace from
- the Route. \n There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services only) This
- API may be extended in the future to support additional kinds of
- parent resources. \n ParentRefs must be _distinct_. This means either
- that: \n * They select different objects. If this is the case,
- then parentRef entries are distinct. In terms of fields, this means
- that the multi-part key defined by `group`, `kind`, `namespace`,
- and `name` must be unique across all parentRef entries in the Route.
- * They do not select different objects, but for each optional field
- used, each ParentRef that selects the same object must set the same
- set of optional fields to different values. If one ParentRef sets
- a combination of optional fields, all must set the same combination.
- \n Some examples: \n * If one ParentRef sets `sectionName`, all
- ParentRefs referencing the same object must also set `sectionName`.
+ description: |+
+ ParentRefs references the resources (usually Gateways) that a Route wants
+ to be attached to. Note that the referenced parent resource needs to
+ allow this for the attachment to be complete. For Gateways, that means
+ the Gateway needs to allow attachment from Routes of this kind and
+ namespace. For Services, that means the Service must either be in the same
+ namespace for a "producer" route, or the mesh implementation must support
+ and allow "consumer" routes for the referenced Service. ReferenceGrant is
+ not applicable for governing ParentRefs to Services - it is not possible to
+ create a "producer" route for a Service in a different namespace from the
+ Route.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ ParentRefs must be _distinct_. This means either that:
+
+ * They select different objects. If this is the case, then parentRef
+ entries are distinct. In terms of fields, this means that the
+ multi-part key defined by `group`, `kind`, `namespace`, and `name` must
+ be unique across all parentRef entries in the Route.
+ * They do not select different objects, but for each optional field used,
+ each ParentRef that selects the same object must set the same set of
+ optional fields to different values. If one ParentRef sets a
+ combination of optional fields, all must set the same combination.
+
+ Some examples:
+
+ * If one ParentRef sets `sectionName`, all ParentRefs referencing the
+ same object must also set `sectionName`.
* If one ParentRef sets `port`, all ParentRefs referencing the same
- object must also set `port`. * If one ParentRef sets `sectionName`
- and `port`, all ParentRefs referencing the same object must also
- set `sectionName` and `port`. \n It is possible to separately reference
- multiple distinct objects that may be collapsed by an implementation.
- For example, some implementations may choose to merge compatible
- Gateway Listeners together. If that is the case, the list of routes
- attached to those resources should also be merged. \n Note that
- for ParentRefs that cross namespace boundaries, there are specific
+ object must also set `port`.
+ * If one ParentRef sets `sectionName` and `port`, all ParentRefs
+ referencing the same object must also set `sectionName` and `port`.
+
+ It is possible to separately reference multiple distinct objects that may
+ be collapsed by an implementation. For example, some implementations may
+ choose to merge compatible Gateway Listeners together. If that is the
+ case, the list of routes attached to those resources should also be
+ merged.
+
+ Note that for ParentRefs that cross namespace boundaries, there are specific
rules. Cross-namespace references are only valid if they are explicitly
- allowed by something in the namespace they are referring to. For
- example, Gateway has the AllowedRoutes field, and ReferenceGrant
- provides a generic way to enable other kinds of cross-namespace
- reference. \n ParentRefs from a Route to a Service in the same
- namespace are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service. \n ParentRefs
- from a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for which the
- intended destination of the connections are a Service targeted as
- a ParentRef of the Route. \n "
+ allowed by something in the namespace they are referring to. For example,
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable other kinds of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+
+
+
items:
- description: "ParentReference identifies an API object (usually
- a Gateway) that can be considered a parent of this resource (usually
- a route). There are two kinds of parent resources with \"Core\"
- support: \n * Gateway (Gateway conformance profile) * Service
- (Mesh conformance profile, experimental, ClusterIP Services only)
- \n This API may be extended in the future to support additional
- kinds of parent resources. \n The API object must be valid in
- the cluster; the Group and Kind must be registered in the cluster
- for this reference to be valid."
+ description: |-
+ ParentReference identifies an API object (usually a Gateway) that can be considered
+ a parent of this resource (usually a route). There are two kinds of parent resources
+ with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ This API may be extended in the future to support additional kinds of parent
+ resources.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the core
- API group (such as for a \"Service\" kind referent), Group
- must be explicitly set to \"\" (empty string). \n Support:
- Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are two
- kinds of parent resources with \"Core\" support: \n * Gateway
- (Gateway conformance profile) * Service (Mesh conformance
- profile, experimental, ClusterIP Services only) \n Support
- for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent. When
- unspecified, this refers to the local namespace of the Route.
- \n Note that there are specific rules for ParentRefs which
- cross namespace boundaries. Cross-namespace references are
- only valid if they are explicitly allowed by something in
- the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides a
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
generic way to enable any other kind of cross-namespace reference.
- \n ParentRefs from a Route to a Service in the same namespace
- are \"producer\" routes, which apply default routing rules
- to inbound connections from any namespace to the Service.
- \n ParentRefs from a Route to a Service in a different namespace
- are \"consumer\" routes, and these routing rules are only
- applied to outbound connections originating from the same
- namespace as the Route, for which the intended destination
- of the connections are a Service targeted as a ParentRef of
- the Route. \n Support: Core"
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets. It
- can be interpreted differently based on the type of parent
- resource. \n When the parent resource is a Gateway, this targets
- all listeners listening on the specified port that also support
- this kind of Route(and select this Route). It's not recommended
- to set `Port` unless the networking behaviors specified in
- a Route must apply to a specific port as opposed to a listener(s)
- whose port(s) may be changed. When both Port and SectionName
- are specified, the name and port of the selected listener
- must match both specified values. \n When the parent resource
- is a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are specified,
- the name and port of the selected port must match both specified
- values. \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes can
- attach to them by Route kind, namespace, or hostname. If 1
- of 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway. \n
- Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within the
- target resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match both
- specified values. * Service: Port Name. When both Port (experimental)
- and SectionName are specified, the name and port of the selected
- listener must match both specified values. Note that attaching
- Routes to Services as Parents is part of experimental Mesh
- support and is not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this will
- reference the entire resource. For the purpose of status,
- an attachment is considered successful if at least one section
- in the parent resource accepts it. For example, Gateway listeners
- can restrict which Routes can attach to them by Route kind,
- namespace, or hostname. If 1 of 2 Gateway listeners accept
- attachment from the referencing Route, the Route MUST be considered
- successfully attached. If no Gateway listeners accept attachment
- from this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -11363,67 +14524,85 @@ spec:
|| p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port
== p2.port))))
rules:
- description: Rules are a list of UDP matchers and actions.
+ description: |+
+ Rules are a list of UDP matchers and actions.
+
items:
description: UDPRouteRule is the configuration for a given rule.
properties:
backendRefs:
- description: "BackendRefs defines the backend(s) where matching
- requests should be sent. If unspecified or invalid (refers
- to a non-existent resource or a Service with no endpoints),
- the underlying implementation MUST actively reject connection
- attempts to this backend. Packet drops must respect weight;
- if an invalid backend is requested to have 80% of the packets,
- then 80% of packets must be dropped instead. \n Support: Core
- for Kubernetes Service \n Support: Extended for Kubernetes
- ServiceImport \n Support: Implementation-specific for any
- other resource \n Support for weight: Extended"
+ description: |-
+ BackendRefs defines the backend(s) where matching requests should be
+ sent. If unspecified or invalid (refers to a non-existent resource or a
+ Service with no endpoints), the underlying implementation MUST actively
+ reject connection attempts to this backend. Packet drops must
+ respect weight; if an invalid backend is requested to have 80% of
+ the packets, then 80% of packets must be dropped instead.
+
+ Support: Core for Kubernetes Service
+
+ Support: Extended for Kubernetes ServiceImport
+
+ Support: Implementation-specific for any other resource
+
+ Support for weight: Extended
items:
- description: "BackendRef defines how a Route should forward
- a request to a Kubernetes resource. \n Note that when a
- namespace different than the local namespace is specified,
- a ReferenceGrant object is required in the referent namespace
- to allow that namespace's owner to accept the reference.
- See the ReferenceGrant documentation for details. \n
- \n When the BackendRef points to a Kubernetes Service, implementations
- SHOULD honor the appProtocol field if it is set for the
- target Service Port. \n Implementations supporting appProtocol
- SHOULD recognize the Kubernetes Standard Application Protocols
- defined in KEP-3726. \n If a Service appProtocol isn't specified,
- an implementation MAY infer the backend protocol through
- its own means. Implementations MAY infer the protocol from
- the Route type referring to the backend Service. \n If a
- Route is not able to send traffic to the backend using the
- specified protocol then the backend is considered invalid.
- Implementations MUST set the \"ResolvedRefs\" condition
- to \"False\" with the \"UnsupportedProtocol\" reason. \n
- \n Note that when the
- BackendTLSPolicy object is enabled by the implementation,
- there are some extra rules about validity to consider here.
- See the fields where this struct is used for more information
- about the exact behavior."
+ description: |-
+ BackendRef defines how a Route should forward a request to a Kubernetes
+ resource.
+
+ Note that when a namespace different than the local namespace is specified, a
+ ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+
+
+ When the BackendRef points to a Kubernetes Service, implementations SHOULD
+ honor the appProtocol field if it is set for the target Service Port.
+
+ Implementations supporting appProtocol SHOULD recognize the Kubernetes
+ Standard Application Protocols defined in KEP-3726.
+
+ If a Service appProtocol isn't specified, an implementation MAY infer the
+ backend protocol through its own means. Implementations MAY infer the
+ protocol from the Route type referring to the backend Service.
+
+ If a Route is not able to send traffic to the backend using the specified
+ protocol then the backend is considered invalid. Implementations MUST set the
+ "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason.
+
+
+
+ Note that when the BackendTLSPolicy object is enabled by the implementation,
+ there are some extra rules about validity to consider here. See the fields
+ where this struct is used for more information about the exact behavior.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -11434,43 +14613,47 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
weight:
default: 1
- description: "Weight specifies the proportion of requests
- forwarded to the referenced backend. This is computed
- as weight/(sum of all weights in this BackendRefs list).
- For non-zero values, there may be some epsilon from
- the exact proportion defined here depending on the precision
- an implementation supports. Weight is not a percentage
- and the sum of weights does not need to equal 100. \n
- If only one backend is specified and it has a weight
- greater than 0, 100% of the traffic is forwarded to
- that backend. If weight is set to 0, no traffic should
- be forwarded for this entry. If unspecified, weight
- defaults to 1. \n Support for this field varies based
- on the context where used."
+ description: |-
+ Weight specifies the proportion of requests forwarded to the referenced
+ backend. This is computed as weight/(sum of all weights in this
+ BackendRefs list). For non-zero values, there may be some epsilon from
+ the exact proportion defined here depending on the precision an
+ implementation supports. Weight is not a percentage and the sum of
+ weights does not need to equal 100.
+
+ If only one backend is specified and it has a weight greater than 0, 100%
+ of the traffic is forwarded to that backend. If weight is set to 0, no
+ traffic should be forwarded for this entry. If unspecified, weight
+ defaults to 1.
+
+ Support for this field varies based on the context where used.
format: int32
maximum: 1000000
minimum: 0
@@ -11485,10 +14668,23 @@ spec:
maxItems: 16
minItems: 1
type: array
+ name:
+ description: |-
+ Name is the name of the route rule. This name MUST be unique within a Route if it is set.
+
+ Support: Extended
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
type: object
maxItems: 16
minItems: 1
type: array
+ x-kubernetes-validations:
+ - message: Rule name must be unique within the route
+ rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name)
+ && l1.name == l2.name))
required:
- rules
type: object
@@ -11496,81 +14692,78 @@ spec:
description: Status defines the current state of UDPRoute.
properties:
parents:
- description: "Parents is a list of parent resources (usually Gateways)
- that are associated with the route, and the status of the route
- with respect to each parent. When this route attaches to a parent,
- the controller that manages the parent must add an entry to this
- list when the controller first sees the route and should update
- the entry as appropriate when the route or gateway is modified.
- \n Note that parent references that cannot be resolved by an implementation
- of this API will not be added to this list. Implementations of this
- API can only populate Route status for the Gateways/parent resources
- they are responsible for. \n A maximum of 32 Gateways will be represented
- in this list. An empty list means the route has not been attached
- to any Gateway."
+ description: |-
+ Parents is a list of parent resources (usually Gateways) that are
+ associated with the route, and the status of the route with respect to
+ each parent. When this route attaches to a parent, the controller that
+ manages the parent must add an entry to this list when the controller
+ first sees the route and should update the entry as appropriate when the
+ route or gateway is modified.
+
+ Note that parent references that cannot be resolved by an implementation
+ of this API will not be added to this list. Implementations of this API
+ can only populate Route status for the Gateways/parent resources they are
+ responsible for.
+
+ A maximum of 32 Gateways will be represented in this list. An empty list
+ means the route has not been attached to any Gateway.
items:
- description: RouteParentStatus describes the status of a route with
- respect to an associated Parent.
+ description: |-
+ RouteParentStatus describes the status of a route with respect to an
+ associated Parent.
properties:
conditions:
- description: "Conditions describes the status of the route with
- respect to the Gateway. Note that the route's availability
- is also subject to the Gateway's own status conditions and
- listener status. \n If the Route's ParentRef specifies an
- existing Gateway that supports Routes of this kind AND that
- Gateway's controller has sufficient access, then that Gateway's
- controller MUST set the \"Accepted\" condition on the Route,
- to indicate whether the route has been accepted or rejected
- by the Gateway, and why. \n A Route MUST be considered \"Accepted\"
- if at least one of the Route's rules is implemented by the
- Gateway. \n There are a number of cases where the \"Accepted\"
- condition may not be set due to lack of controller visibility,
- that includes when: \n * The Route refers to a non-existent
- parent. * The Route is of a type that the controller does
- not support. * The Route is in a namespace the controller
- does not have access to."
+ description: |-
+ Conditions describes the status of the route with respect to the Gateway.
+ Note that the route's availability is also subject to the Gateway's own
+ status conditions and listener status.
+
+ If the Route's ParentRef specifies an existing Gateway that supports
+ Routes of this kind AND that Gateway's controller has sufficient access,
+ then that Gateway's controller MUST set the "Accepted" condition on the
+ Route, to indicate whether the route has been accepted or rejected by the
+ Gateway, and why.
+
+ A Route MUST be considered "Accepted" if at least one of the Route's
+ rules is implemented by the Gateway.
+
+ There are a number of cases where the "Accepted" condition may not be set
+ due to lack of controller visibility, that includes when:
+
+ * The Route refers to a non-existent parent.
+ * The Route is of a type that the controller does not support.
+ * The Route is in a namespace the controller does not have access to.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -11585,11 +14778,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -11607,131 +14795,154 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
parentRef:
- description: ParentRef corresponds with a ParentRef in the spec
- that this RouteParentStatus struct describes the status of.
+ description: |-
+ ParentRef corresponds with a ParentRef in the spec that this
+ RouteParentStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs from a Route to a Service in
- the same namespace are \"producer\" routes, which apply
- default routing rules to inbound connections from any
- namespace to the Service. \n ParentRefs from a Route to
- a Service in a different namespace are \"consumer\" routes,
- and these routing rules are only applied to outbound connections
- originating from the same namespace as the Route, for
- which the intended destination of the connections are
- a Service targeted as a ParentRef of the Route. \n Support:
- Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n When the parent resource is
- a Service, this targets a specific port in the Service
- spec. When both Port (experimental) and SectionName are
- specified, the name and port of the selected port must
- match both specified values. \n Implementations MAY choose
- to support other parent resources. Implementations supporting
- other types of parent resources MUST clearly document
- how/if Port is interpreted. \n For the purpose of status,
- an attachment is considered successful as long as the
- parent resource accepts it partially. For example, Gateway
- listeners can restrict which Routes can attach to them
- by Route kind, namespace, or hostname. If 1 of 2 Gateway
- listeners accept attachment from the referencing Route,
- the Route MUST be considered successfully attached. If
- no Gateway listeners accept attachment from this Route,
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
the Route MUST be considered detached from the Gateway.
- \n Support: Extended \n "
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backends.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backends.yaml
new file mode 100644
index 0000000..7d0da83
--- /dev/null
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backends.yaml
@@ -0,0 +1,221 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: backends.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: Backend
+ listKind: BackendList
+ plural: backends
+ shortNames:
+ - be
+ singular: backend
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.conditions[?(@.type=="Accepted")].reason
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Backend allows the user to configure the endpoints of a backend and
+ the behavior of the connection from Envoy Proxy to the backend.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of Backend.
+ properties:
+ appProtocols:
+ description: AppProtocols defines the application protocols to be
+ supported when connecting to the backend.
+ items:
+ description: AppProtocolType defines various backend applications
+ protocols supported by Envoy Gateway
+ enum:
+ - gateway.envoyproxy.io/h2c
+ - gateway.envoyproxy.io/ws
+ - gateway.envoyproxy.io/wss
+ type: string
+ type: array
+ endpoints:
+ description: Endpoints defines the endpoints to be used when connecting
+ to the backend.
+ items:
+ description: |-
+ BackendEndpoint describes a backend endpoint, which can be either a fully-qualified domain name, IP address or unix domain socket
+ corresponding to Envoy's Address: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#config-core-v3-address
+ properties:
+ fqdn:
+ description: FQDN defines a FQDN endpoint
+ properties:
+ hostname:
+ description: Hostname defines the FQDN hostname of the backend
+ endpoint.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+ type: string
+ port:
+ description: Port defines the port of the backend endpoint.
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ required:
+ - hostname
+ - port
+ type: object
+ ip:
+ description: IP defines an IP endpoint. Supports both IPv4 and
+ IPv6 addresses.
+ properties:
+ address:
+ description: |-
+ Address defines the IP address of the backend endpoint.
+ Supports both IPv4 and IPv6 addresses.
+ maxLength: 45
+ minLength: 3
+ pattern: ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$|^(([0-9a-fA-F]{1,4}:){1,7}[0-9a-fA-F]{1,4}|::|(([0-9a-fA-F]{1,4}:){0,5})?(:[0-9a-fA-F]{1,4}){1,2})$
+ type: string
+ port:
+ description: Port defines the port of the backend endpoint.
+ format: int32
+ maximum: 65535
+ minimum: 0
+ type: integer
+ required:
+ - address
+ - port
+ type: object
+ unix:
+ description: Unix defines the unix domain socket endpoint
+ properties:
+ path:
+ description: Path defines the unix domain socket path of
+ the backend endpoint.
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: one of fqdn, ip or unix must be specified
+ rule: (has(self.fqdn) || has(self.ip) || has(self.unix))
+ - message: only one of fqdn, ip or unix can be specified
+ rule: ((has(self.fqdn) && !(has(self.ip) || has(self.unix))) ||
+ (has(self.ip) && !(has(self.fqdn) || has(self.unix))) || (has(self.unix)
+ && !(has(self.ip) || has(self.fqdn))))
+ maxItems: 4
+ minItems: 1
+ type: array
+ x-kubernetes-validations:
+ - message: fqdn addresses cannot be mixed with other address types
+ rule: self.all(f, has(f.fqdn)) || !self.exists(f, has(f.fqdn))
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ type: object
+ status:
+ description: Status defines the current status of Backend.
+ properties:
+ conditions:
+ description: Conditions describe the current conditions of the Backend.
+ items:
+ description: Condition contains details for one aspect of the current
+ state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
index 88bc6e4..f9fb0f3 100644
--- a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_backendtrafficpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: backendtrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -19,27 +19,30 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Accepted")].reason
- name: Status
- type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
- description: BackendTrafficPolicy allows the user to configure the behavior
- of the connection between the Envoy Proxy listener and the backend service.
+ description: |-
+ BackendTrafficPolicy allows the user to configure the behavior of the connection
+ between the Envoy Proxy listener and the backend service.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -47,9 +50,9 @@ spec:
description: spec defines the desired state of BackendTrafficPolicy.
properties:
circuitBreaker:
- description: Circuit Breaker settings for the upstream connections
- and requests. If not set, circuit breakers will be enabled with
- the default thresholds
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
properties:
maxConnections:
default: 1024
@@ -88,9 +91,9 @@ spec:
minimum: 0
type: integer
maxRequestsPerConnection:
- description: 'The maximum number of requests that Envoy will make
- over a single connection to the referenced backend defined within
- a xRoute rule. Default: unlimited.'
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
format: int64
maximum: 4294967295
minimum: 0
@@ -99,7 +102,8 @@ spec:
compression:
description: The compression config for the http streams.
items:
- description: Compression defines the config of enabling compression.
+ description: |-
+ Compression defines the config of enabling compression.
This can help reduce the bandwidth at the expense of higher CPU.
properties:
gzip:
@@ -115,11 +119,57 @@ spec:
- type
type: object
type: array
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
faultInjection:
- description: FaultInjection defines the fault injection policy to
- be applied. This configuration can be used to inject delays and
- abort requests to mimic failure scenarios such as service failures
- and overloads
+ description: |-
+ FaultInjection defines the fault injection policy to be applied. This configuration can be used to
+ inject delays and abort requests to mimic failure scenarios such as service failures and overloads
properties:
abort:
description: If specified, the request will be aborted if it meets
@@ -176,6 +226,18 @@ spec:
active:
description: Active health check configuration
properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
healthyThreshold:
default: 1
description: HealthyThreshold defines the number of healthy
@@ -184,9 +246,9 @@ spec:
minimum: 1
type: integer
http:
- description: HTTP defines the configuration of http health
- checker. It's required while the health checker type is
- HTTP.
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
properties:
expectedResponse:
description: ExpectedResponse defines a list of HTTP expected
@@ -221,8 +283,9 @@ spec:
rule: 'self.type == ''Binary'' ? has(self.binary) :
!has(self.binary)'
expectedStatuses:
- description: ExpectedStatuses defines a list of HTTP response
- statuses considered healthy. Defaults to 200 only
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
items:
description: HTTPStatus defines the http status code.
exclusiveMaximum: true
@@ -231,8 +294,9 @@ spec:
type: integer
type: array
method:
- description: Method defines the HTTP method used for health
- checking. Defaults to GET
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
type: string
path:
description: Path defines the HTTP path that will be requested
@@ -250,7 +314,8 @@ spec:
format: duration
type: string
tcp:
- description: TCP defines the configuration of tcp health checker.
+ description: |-
+ TCP defines the configuration of tcp health checker.
It's required while the health checker type is TCP.
properties:
receive:
@@ -327,9 +392,11 @@ spec:
- enum:
- HTTP
- TCP
+ - GRPC
- enum:
- HTTP
- TCP
+ - GRPC
description: Type defines the type of health checker.
type: string
unhealthyThreshold:
@@ -349,6 +416,9 @@ spec:
- message: If Health Checker type is TCP, tcp field needs to be
set.
rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health Checker
+ type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' : true'
passive:
description: Passive passive check configuration
properties:
@@ -372,10 +442,9 @@ spec:
type: integer
consecutiveLocalOriginFailures:
default: 5
- description: ConsecutiveLocalOriginFailures sets the number
- of consecutive local origin failures triggering ejection.
- Parameter takes effect only when split_external_local_origin_errors
- is set to true.
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
format: int32
type: integer
interval:
@@ -397,44 +466,146 @@ spec:
type: boolean
type: object
type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
loadBalancer:
- description: LoadBalancer policy to apply when routing traffic from
- the gateway to the backend endpoints
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
properties:
consistentHash:
- description: ConsistentHash defines the configuration when the
- load balancer type is set to ConsistentHash
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
properties:
+ cookie:
+ description: Cookie configures the cookie hash policy when
+ the consistent hash type is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header hash policy when
+ the consistent hash type is set to Header.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
type:
- description: ConsistentHashType defines the type of input
- to hash on.
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
enum:
- SourceIP
+ - Header
+ - Cookie
type: string
required:
- type
type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the header field
+ must be set.
+ rule: 'self.type == ''Header'' ? has(self.header) : !has(self.header)'
+ - message: If consistent hash type is cookie, the cookie field
+ must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie) : !has(self.cookie)'
slowStart:
- description: SlowStart defines the configuration related to the
- slow start load balancer policy. If set, during slow start window,
- traffic sent to the newly added hosts will gradually increase.
- Currently this is only supported for RoundRobin and LeastRequest
- load balancers
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
properties:
window:
- description: Window defines the duration of the warm up period
- for newly added host. During slow start window, traffic
- sent to the newly added hosts will gradually increase. Currently
- only supports linear growth of traffic. For additional details,
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
type: string
required:
- window
type: object
type:
- description: Type decides the type of Load Balancer policy. Valid
- LoadBalancerType values are "ConsistentHash", "LeastRequest",
- "Random", "RoundRobin",
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
enum:
- ConsistentHash
- LeastRequest
@@ -458,8 +629,11 @@ spec:
with the backend.
properties:
version:
- description: Version of ProxyProtol Valid ProxyProtocolVersion
- values are "V1" "V2"
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
enum:
- V1
- V2
@@ -468,59 +642,64 @@ spec:
- version
type: object
rateLimit:
- description: RateLimit allows the user to limit the number of incoming
- requests to a predefined value based on attributes within the traffic
- flow.
+ description: |-
+ RateLimit allows the user to limit the number of incoming requests
+ to a predefined value based on attributes within the traffic flow.
properties:
global:
description: Global defines global rate limit configuration.
properties:
rules:
- description: Rules are a list of RateLimit selectors and limits.
- Each rule and its associated limit is applied in a mutually
- exclusive way. If a request matches multiple rules, each
- of their associated limits get applied, so a single request
- might increase the rate limit counters for multiple rules
- if selected. The rate limit service will return a logical
- OR of the individual rate limit decisions of all matching
- rules. For example, if a request matches two rules, one
- rate limited and one not, the final decision will be to
- rate limit the request.
+ description: |-
+ Rules are a list of RateLimit selectors and limits. Each rule and its
+ associated limit is applied in a mutually exclusive way. If a request
+ matches multiple rules, each of their associated limits get applied, so a
+ single request might increase the rate limit counters for multiple rules
+ if selected. The rate limit service will return a logical OR of the individual
+ rate limit decisions of all matching rules. For example, if a request
+ matches two rules, one rate limited and one not, the final decision will be
+ to rate limit the request.
items:
- description: RateLimitRule defines the semantics for matching
- attributes from the incoming requests, and setting limits
- for them.
+ description: |-
+ RateLimitRule defines the semantics for matching attributes
+ from the incoming requests, and setting limits for them.
properties:
clientSelectors:
- description: "ClientSelectors holds the list of select
- conditions to select specific clients using attributes
- from the traffic flow. All individual select conditions
- must hold True for this rule and its limit to be applied.
- \n If no client selectors are specified, the rule
- applies to all traffic of the targeted Route. \n If
- the policy targets a Gateway, the rule applies to
- each Route of the Gateway. Please note that each Route
- has its own rate limit counters. For example, if a
- Gateway has two Routes, and the policy has a rule
- with limit 10rps, each Route will have its own 10rps
- limit."
+ description: |-
+ ClientSelectors holds the list of select conditions to select
+ specific clients using attributes from the traffic flow.
+ All individual select conditions must hold True for this rule
+ and its limit to be applied.
+
+ If no client selectors are specified, the rule applies to all traffic of
+ the targeted Route.
+
+ If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+ Please note that each Route has its own rate limit counters. For example,
+ if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+ each Route will have its own 10rps limit.
items:
- description: RateLimitSelectCondition specifies the
- attributes within the traffic flow that can be used
- to select a subset of clients to be ratelimited.
- All the individual conditions must hold True for
- the overall condition to hold True.
+ description: |-
+ RateLimitSelectCondition specifies the attributes within the traffic flow that can
+ be used to select a subset of clients to be ratelimited.
+ All the individual conditions must hold True for the overall condition to hold True.
properties:
headers:
- description: Headers is a list of request headers
- to match. Multiple header values are ANDed together,
- meaning, a request MUST match all the specified
- headers. At least one of headers or sourceCIDR
- condition must be specified.
+ description: |-
+ Headers is a list of request headers to match. Multiple header values are ANDed together,
+ meaning, a request MUST match all the specified headers.
+ At least one of headers or sourceCIDR condition must be specified.
items:
description: HeaderMatch defines the match attributes
within the HTTP Headers of the request.
properties:
+ invert:
+ default: false
+ description: |-
+ Invert specifies whether the value match result will be inverted.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
+ type: boolean
name:
description: Name of the HTTP header.
maxLength: 256
@@ -536,12 +715,11 @@ spec:
- Distinct
type: string
value:
- description: Value within the HTTP header.
- Due to the case-insensitivity of header
- names, "foo" and "Foo" are considered
- equivalent. Do not set this field when
- Type="Distinct", implying matching on
- any/all unique values within the header.
+ description: |-
+ Value within the HTTP header. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
maxLength: 1024
type: string
required:
@@ -549,25 +727,22 @@ spec:
type: object
maxItems: 16
type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
sourceCIDR:
- description: SourceCIDR is the client IP Address
- range to match on. At least one of headers or
- sourceCIDR condition must be specified.
+ description: |-
+ SourceCIDR is the client IP Address range to match on.
+ At least one of headers or sourceCIDR condition must be specified.
properties:
type:
default: Exact
+ enum:
+ - Exact
+ - Distinct
type: string
value:
- description: Value is the IP CIDR that represents
- the range of Source IP Addresses of the
- client. These could also be the intermediate
- addresses through which the request has
- flown through and is part of the `X-Forwarded-For`
- header. For example, `192.168.0.1/32`, `192.168.0.0/24`,
- `001:db8::/64`.
+ description: |-
+ Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+ These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
+ For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
maxLength: 256
minLength: 1
type: string
@@ -578,20 +753,20 @@ spec:
maxItems: 8
type: array
limit:
- description: Limit holds the rate limit values. This
- limit is applied for traffic flows when the selectors
- compute to True, causing the request to be counted
- towards the limit. The limit is enforced and the request
- is ratelimited, i.e. a response with 429 HTTP status
- code is sent back to the client when the selected
- requests have reached the limit.
+ description: |-
+ Limit holds the rate limit values.
+ This limit is applied for traffic flows when the selectors
+ compute to True, causing the request to be counted towards the limit.
+ The limit is enforced and the request is ratelimited, i.e. a response with
+ 429 HTTP status code is sent back to the client when
+ the selected requests have reached the limit.
properties:
requests:
type: integer
unit:
- description: RateLimitUnit specifies the intervals
- for setting rate limits. Valid RateLimitUnit values
- are "Second", "Minute", "Hour", and "Day".
+ description: |-
+ RateLimitUnit specifies the intervals for setting rate limits.
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
enum:
- Second
- Minute
@@ -605,7 +780,7 @@ spec:
required:
- limit
type: object
- maxItems: 16
+ maxItems: 64
type: array
required:
- rules
@@ -614,46 +789,52 @@ spec:
description: Local defines local rate limit configuration.
properties:
rules:
- description: Rules are a list of RateLimit selectors and limits.
- If a request matches multiple rules, the strictest limit
- is applied. For example, if a request matches two rules,
- one with 10rps and one with 20rps, the final limit will
+ description: |-
+ Rules are a list of RateLimit selectors and limits. If a request matches
+ multiple rules, the strictest limit is applied. For example, if a request
+ matches two rules, one with 10rps and one with 20rps, the final limit will
be based on the rule with 10rps.
items:
- description: RateLimitRule defines the semantics for matching
- attributes from the incoming requests, and setting limits
- for them.
+ description: |-
+ RateLimitRule defines the semantics for matching attributes
+ from the incoming requests, and setting limits for them.
properties:
clientSelectors:
- description: "ClientSelectors holds the list of select
- conditions to select specific clients using attributes
- from the traffic flow. All individual select conditions
- must hold True for this rule and its limit to be applied.
- \n If no client selectors are specified, the rule
- applies to all traffic of the targeted Route. \n If
- the policy targets a Gateway, the rule applies to
- each Route of the Gateway. Please note that each Route
- has its own rate limit counters. For example, if a
- Gateway has two Routes, and the policy has a rule
- with limit 10rps, each Route will have its own 10rps
- limit."
+ description: |-
+ ClientSelectors holds the list of select conditions to select
+ specific clients using attributes from the traffic flow.
+ All individual select conditions must hold True for this rule
+ and its limit to be applied.
+
+ If no client selectors are specified, the rule applies to all traffic of
+ the targeted Route.
+
+ If the policy targets a Gateway, the rule applies to each Route of the Gateway.
+ Please note that each Route has its own rate limit counters. For example,
+ if a Gateway has two Routes, and the policy has a rule with limit 10rps,
+ each Route will have its own 10rps limit.
items:
- description: RateLimitSelectCondition specifies the
- attributes within the traffic flow that can be used
- to select a subset of clients to be ratelimited.
- All the individual conditions must hold True for
- the overall condition to hold True.
+ description: |-
+ RateLimitSelectCondition specifies the attributes within the traffic flow that can
+ be used to select a subset of clients to be ratelimited.
+ All the individual conditions must hold True for the overall condition to hold True.
properties:
headers:
- description: Headers is a list of request headers
- to match. Multiple header values are ANDed together,
- meaning, a request MUST match all the specified
- headers. At least one of headers or sourceCIDR
- condition must be specified.
+ description: |-
+ Headers is a list of request headers to match. Multiple header values are ANDed together,
+ meaning, a request MUST match all the specified headers.
+ At least one of headers or sourceCIDR condition must be specified.
items:
description: HeaderMatch defines the match attributes
within the HTTP Headers of the request.
properties:
+ invert:
+ default: false
+ description: |-
+ Invert specifies whether the value match result will be inverted.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
+ type: boolean
name:
description: Name of the HTTP header.
maxLength: 256
@@ -669,12 +850,11 @@ spec:
- Distinct
type: string
value:
- description: Value within the HTTP header.
- Due to the case-insensitivity of header
- names, "foo" and "Foo" are considered
- equivalent. Do not set this field when
- Type="Distinct", implying matching on
- any/all unique values within the header.
+ description: |-
+ Value within the HTTP header. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
+ Do not set this field when Type="Distinct", implying matching on any/all unique
+ values within the header.
maxLength: 1024
type: string
required:
@@ -682,25 +862,22 @@ spec:
type: object
maxItems: 16
type: array
- x-kubernetes-list-map-keys:
- - name
- x-kubernetes-list-type: map
sourceCIDR:
- description: SourceCIDR is the client IP Address
- range to match on. At least one of headers or
- sourceCIDR condition must be specified.
+ description: |-
+ SourceCIDR is the client IP Address range to match on.
+ At least one of headers or sourceCIDR condition must be specified.
properties:
type:
default: Exact
+ enum:
+ - Exact
+ - Distinct
type: string
value:
- description: Value is the IP CIDR that represents
- the range of Source IP Addresses of the
- client. These could also be the intermediate
- addresses through which the request has
- flown through and is part of the `X-Forwarded-For`
- header. For example, `192.168.0.1/32`, `192.168.0.0/24`,
- `001:db8::/64`.
+ description: |-
+ Value is the IP CIDR that represents the range of Source IP Addresses of the client.
+ These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header.
+ For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.
maxLength: 256
minLength: 1
type: string
@@ -711,20 +888,20 @@ spec:
maxItems: 8
type: array
limit:
- description: Limit holds the rate limit values. This
- limit is applied for traffic flows when the selectors
- compute to True, causing the request to be counted
- towards the limit. The limit is enforced and the request
- is ratelimited, i.e. a response with 429 HTTP status
- code is sent back to the client when the selected
- requests have reached the limit.
+ description: |-
+ Limit holds the rate limit values.
+ This limit is applied for traffic flows when the selectors
+ compute to True, causing the request to be counted towards the limit.
+ The limit is enforced and the request is ratelimited, i.e. a response with
+ 429 HTTP status code is sent back to the client when
+ the selected requests have reached the limit.
properties:
requests:
type: integer
unit:
- description: RateLimitUnit specifies the intervals
- for setting rate limits. Valid RateLimitUnit values
- are "Second", "Minute", "Hour", and "Day".
+ description: |-
+ RateLimitUnit specifies the intervals for setting rate limits.
+ Valid RateLimitUnit values are "Second", "Minute", "Hour", and "Day".
enum:
- Second
- Minute
@@ -742,8 +919,9 @@ spec:
type: array
type: object
type:
- description: Type decides the scope for the RateLimits. Valid
- RateLimitType values are "Global" or "Local".
+ description: |-
+ Type decides the scope for the RateLimits.
+ Valid RateLimitType values are "Global" or "Local".
enum:
- Global
- Local
@@ -751,10 +929,160 @@ spec:
required:
- type
type: object
+ responseOverride:
+ description: |-
+ ResponseOverride defines the configuration to override specific responses with a custom one.
+ If multiple configurations are specified, the first one to match wins.
+ items:
+ description: ResponseOverride defines the configuration to override
+ specific responses with a custom one.
+ properties:
+ match:
+ description: Match configuration.
+ properties:
+ statusCodes:
+ description: Status code to match on. The match evaluates
+ to true if any of the matches are successful.
+ items:
+ description: StatusCodeMatch defines the configuration
+ for matching a status code.
+ properties:
+ range:
+ description: Range contains the range of status codes.
+ properties:
+ end:
+ description: End of the range, including the end
+ value.
+ type: integer
+ start:
+ description: Start of the range, including the
+ start value.
+ type: integer
+ required:
+ - end
+ - start
+ type: object
+ x-kubernetes-validations:
+ - message: end must be greater than start
+ rule: self.end > self.start
+ type:
+ allOf:
+ - enum:
+ - Value
+ - Range
+ - enum:
+ - Value
+ - Range
+ default: Value
+ description: |-
+ Type is the type of value.
+ Valid values are Value and Range, default is Value.
+ type: string
+ value:
+ description: Value contains the value of the status
+ code.
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: value must be set for type Value
+ rule: '(!has(self.type) || self.type == ''Value'')?
+ has(self.value) : true'
+ - message: range must be set for type Range
+ rule: '(has(self.type) && self.type == ''Range'')? has(self.range)
+ : true'
+ maxItems: 50
+ minItems: 1
+ type: array
+ required:
+ - statusCodes
+ type: object
+ response:
+ description: Response configuration.
+ properties:
+ body:
+ description: Body of the Custom Response
+ properties:
+ inline:
+ description: Inline contains the value as an inline
+ string.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Inline
+ - ValueRef
+ - enum:
+ - Inline
+ - ValueRef
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the body value.
+ Valid values are Inline and ValueRef, default is Inline.
+ type: string
+ valueRef:
+ description: |-
+ ValueRef contains the contents of the body
+ specified as a local object reference.
+ Only a reference to ConfigMap is supported.
+
+ The value of key `response.body` in the ConfigMap will be used as the response body.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: inline must be set for type Inline
+ rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
+ : true'
+ - message: valueRef must be set for type ValueRef
+ rule: '(has(self.type) && self.type == ''ValueRef'')?
+ has(self.valueRef) : true'
+ - message: only ConfigMap is supported for ValueRef
+ rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
+ : true'
+ contentType:
+ description: Content Type of the response. This will be
+ set in the Content-Type header.
+ type: string
+ required:
+ - body
+ type: object
+ required:
+ - match
+ - response
+ type: object
+ type: array
retry:
- description: Retry provides more advanced usage, allowing users to
- customize the number of retries, retry fallback strategy, and retry
- triggering conditions. If not set, retry will be disabled.
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
properties:
numRetries:
default: 2
@@ -768,8 +1096,8 @@ spec:
attempt.
properties:
backOff:
- description: Backoff is the backoff policy to be applied per
- retry attempt. gateway uses a fully jittered exponential
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
properties:
@@ -779,10 +1107,9 @@ spec:
format: duration
type: string
maxInterval:
- description: MaxInterval is the maximum interval between
- retries. This parameter is optional, but must be greater
- than or equal to the base_interval if set. The default
- is 10 times the base_interval
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
format: duration
type: string
type: object
@@ -792,13 +1119,15 @@ spec:
type: string
type: object
retryOn:
- description: "RetryOn specifies the retry trigger condition. \n
- If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503)."
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
properties:
httpStatusCodes:
- description: HttpStatusCodes specifies the http status codes
- to be retried. The retriable-status-codes trigger must also
- be configured for these status codes to trigger a retry.
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
items:
description: HTTPStatus defines the http status code.
exclusiveMaximum: true
@@ -829,10 +1158,12 @@ spec:
type: object
type: object
targetRef:
- description: targetRef is the name of the resource this policy is
- being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway.
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
@@ -850,24 +1181,19 @@ spec:
maxLength: 253
minLength: 1
type: string
- namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -877,32 +1203,118 @@ spec:
- kind
- name
type: object
- x-kubernetes-validations:
- - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
- rule: self.group == 'gateway.networking.k8s.io'
- - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
- rule: self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute', 'UDPRoute',
- 'TCPRoute', 'TLSRoute']
- - message: this policy does not yet support the sectionName field
- rule: '!has(self.sectionName)'
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ - matchLabels
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
tcpKeepalive:
- description: TcpKeepalive settings associated with the upstream client
- connection. Disabled by default.
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
properties:
idleTime:
- description: The duration a connection needs to be idle before
- keep-alive probes start being sent. The duration format is Defaults
- to `7200s`.
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
interval:
- description: The duration between keep-alive probes. Defaults
- to `75s`.
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
probes:
- description: The total number of unacknowledged probes to send
- before deciding the connection is dead. Defaults to 9.
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
format: int32
type: integer
type: object
@@ -913,14 +1325,20 @@ spec:
description: Timeout settings for HTTP.
properties:
connectionIdleTimeout:
- description: 'The idle timeout for an HTTP connection. Idle
- time is defined as a period in which there are no active
- requests in the connection. Default: 1 hour.'
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
maxConnectionDuration:
- description: 'The maximum duration of an HTTP connection.
- Default: unlimited.'
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until which entire
+ response is received from the upstream.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -928,182 +1346,240 @@ spec:
description: Timeout settings for TCP.
properties:
connectTimeout:
- description: 'The timeout for network connection establishment,
- including TCP and TLS handshakes. Default: 10 seconds.'
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
type: object
- required:
- - targetRef
+ useClientProtocol:
+ description: |-
+ UseClientProtocol configures Envoy to prefer sending requests to backends using
+ the same HTTP protocol that the incoming request used. Defaults to false, which means
+ that Envoy will use the protocol indicated by the attached BackendRef.
+ type: boolean
type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true '
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
+ ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''] : true'
+ - message: this policy does not yet support the sectionName field
+ rule: 'has(self.targetRef) ? !has(self.targetRef.sectionName) : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true '
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
+ ''HTTPRoute'', ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''])
+ : true '
+ - message: this policy does not yet support the sectionName field
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName))
+ : true'
status:
description: status defines the current status of BackendTrafficPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -1115,47 +1591,36 @@ spec:
description: Conditions describes the status of the Policy with
respect to the given Ancestor.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -1170,11 +1635,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -1192,16 +1652,20 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index de67748..3e626f3 100644
--- a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: clienttrafficpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -19,27 +19,30 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Accepted")].reason
- name: Status
- type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
- description: ClientTrafficPolicy allows the user to configure the behavior
- of the connection between the downstream client and Envoy Proxy listener.
+ description: |-
+ ClientTrafficPolicy allows the user to configure the behavior of the connection
+ between the downstream client and Envoy Proxy listener.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -51,16 +54,16 @@ spec:
determining the original client IP address for requests.
properties:
customHeader:
- description: CustomHeader provides configuration for determining
- the client IP address for a request based on a trusted custom
- HTTP header. This uses the the custom_header original IP detection
- extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+ description: |-
+ CustomHeader provides configuration for determining the client IP address for a request based on
+ a trusted custom HTTP header. This uses the custom_header original IP detection extension.
+ Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
for more details.
properties:
failClosed:
- description: FailClosed is a switch used to control the flow
- of traffic when client IP detection fails. If set to true,
- the listener will respond with 403 Forbidden when the client
+ description: |-
+ FailClosed is a switch used to control the flow of traffic when client IP detection
+ fails. If set to true, the listener will respond with 403 Forbidden when the client
IP address cannot be determined.
type: boolean
name:
@@ -79,9 +82,9 @@ spec:
address.
properties:
numTrustedHops:
- description: NumTrustedHops controls the number of additional
- ingress proxy hops from the right side of XFF HTTP headers
- to trust when determining the origin client's IP address.
+ description: |-
+ NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
+ headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details.
format: int32
@@ -91,19 +94,287 @@ spec:
x-kubernetes-validations:
- message: customHeader cannot be used in conjunction with xForwardedFor
rule: '!(has(self.xForwardedFor) && has(self.customHeader))'
+ connection:
+ description: Connection includes client connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ Default: 32768 bytes.
+ x-kubernetes-int-or-string: true
+ connectionLimit:
+ description: ConnectionLimit defines limits related to connections
+ properties:
+ closeDelay:
+ description: |-
+ CloseDelay defines the delay to use before closing connections that are rejected
+ once the limit value is reached.
+ Default: none.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ value:
+ description: |-
+ Value of the maximum concurrent connections limit.
+ When the limit is reached, incoming connections will be closed after the CloseDelay duration.
+ format: int64
+ minimum: 1
+ type: integer
+ required:
+ - value
+ type: object
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
enableProxyProtocol:
- description: EnableProxyProtocol interprets the ProxyProtocol header
- and adds the Client Address into the X-Forwarded-For header. Note
- Proxy Protocol must be present when this field is set, else the
- connection is closed.
+ description: |-
+ EnableProxyProtocol interprets the ProxyProtocol header and adds the
+ Client Address into the X-Forwarded-For header.
+ Note Proxy Protocol must be present when this field is set, else the connection
+ is closed.
type: boolean
headers:
description: HeaderSettings provides configuration for header management.
properties:
+ disableRateLimitHeaders:
+ description: |-
+ DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers
+ when rate limiting is enabled.
+ type: boolean
+ earlyRequestHeaders:
+ description: |-
+ EarlyRequestHeaders defines settings for early request header modification, before envoy performs
+ routing, tracing and built-in header manipulation.
+ properties:
+ add:
+ description: |-
+ Add adds the given header(s) (name, value) to the request
+ before the action. It appends to any existing values associated
+ with the header name.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ add:
+ - name: "my-header"
+ value: "bar,baz"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: foo,bar,baz
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ remove:
+ description: |-
+ Remove the given header(s) from the HTTP request before the action. The
+ value of Remove is a list of HTTP header names. Note that the header
+ names are case-insensitive (see
+ https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header1: foo
+ my-header2: bar
+ my-header3: baz
+
+ Config:
+ remove: ["my-header1", "my-header3"]
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header2: bar
+ items:
+ type: string
+ maxItems: 16
+ type: array
+ x-kubernetes-list-type: set
+ set:
+ description: |-
+ Set overwrites the request with the given header (name, value)
+ before the action.
+
+ Input:
+ GET /foo HTTP/1.1
+ my-header: foo
+
+ Config:
+ set:
+ - name: "my-header"
+ value: "bar"
+
+ Output:
+ GET /foo HTTP/1.1
+ my-header: bar
+ items:
+ description: HTTPHeader represents an HTTP Header name and
+ value as defined by RFC 7230.
+ properties:
+ name:
+ description: |-
+ Name is the name of the HTTP Header to be matched. Name matching MUST be
+ case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+ If multiple entries specify equivalent header names, the first entry with
+ an equivalent name MUST be considered for a match. Subsequent entries
+ with an equivalent header name MUST be ignored. Due to the
+ case-insensitivity of header names, "foo" and "Foo" are considered
+ equivalent.
+ maxLength: 256
+ minLength: 1
+ pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+ type: string
+ value:
+ description: Value is the value of HTTP Header to be
+ matched.
+ maxLength: 4096
+ minLength: 1
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ maxItems: 16
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
enableEnvoyHeaders:
- description: EnableEnvoyHeaders configures Envoy Proxy to add
- the "X-Envoy-" headers to requests and responses.
+ description: |-
+ EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
+ and responses.
type: boolean
+ preserveXRequestID:
+ description: |-
+ PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge
+ (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.
+ It defaults to false.
+ type: boolean
+ withUnderscoresAction:
+ description: |-
+ WithUnderscoresAction configures the action to take when an HTTP header with underscores
+ is encountered. The default action is to reject the request.
+ enum:
+ - Allow
+ - RejectRequest
+ - DropHeader
+ type: string
+ xForwardedClientCert:
+ description: |-
+ XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
+
+ x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate
+ information of part or all of the clients or proxies that a request has flowed through,
+ on its way from the client to the server.
+
+ Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.
+
+ If not set, the default behavior is sanitizing the XFCC header.
+ properties:
+ certDetailsToAdd:
+ description: |-
+ CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header.
+
+ Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name)
+ are always included if the client certificate is forwarded.
+
+ This field is only applicable when the mode is set to `AppendForward` or
+ `SanitizeSet` and the client connection is mTLS.
+ items:
+ description: XFCCCertData specifies the fields in the client
+ certificate to be forwarded in the XFCC header.
+ enum:
+ - Subject
+ - Cert
+ - Chain
+ - DNS
+ - URI
+ type: string
+ maxItems: 5
+ type: array
+ mode:
+ description: |-
+ Mode defines how XFCC header is handled by Envoy Proxy.
+ If not set, the default mode is `Sanitize`.
+ enum:
+ - Sanitize
+ - ForwardOnly
+ - AppendForward
+ - SanitizeSet
+ - AlwaysForwardOnly
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: certDetailsToAdd can only be set when mode is AppendForward
+ or SanitizeSet
+ rule: '(has(self.certDetailsToAdd) && self.certDetailsToAdd.size()
+ > 0) ? (self.mode == ''AppendForward'' || self.mode == ''SanitizeSet'')
+ : true'
+ type: object
+ healthCheck:
+ description: HealthCheck provides configuration for determining whether
+ the HTTP/HTTPS listener is healthy.
+ properties:
+ path:
+ description: Path specifies the HTTP path to match on for health
+ check requests.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
type: object
http1:
description: HTTP1 provides HTTP/1 configuration on the listener.
@@ -117,19 +388,61 @@ spec:
requests.
properties:
useDefaultHost:
- description: UseDefaultHost defines if the HTTP/1.0 request
- is missing the Host header, then the hostname associated
- with the listener should be injected into the request. If
- this is not set and an HTTP/1.0 request arrives without
- a host, then it will be rejected.
+ description: |-
+ UseDefaultHost defines if the HTTP/1.0 request is missing the Host header,
+ then the hostname associated with the listener should be injected into the
+ request.
+ If this is not set and an HTTP/1.0 request arrives without a host, then
+ it will be rejected.
type: boolean
type: object
preserveHeaderCase:
- description: PreserveHeaderCase defines if Envoy should preserve
- the letter case of headers. By default, Envoy will lowercase
- all the headers.
+ description: |-
+ PreserveHeaderCase defines if Envoy should preserve the letter case of headers.
+ By default, Envoy will lowercase all the headers.
type: boolean
type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration on the listener.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
http3:
description: HTTP3 provides HTTP/3 configuration on the listener.
type: object
@@ -138,15 +451,16 @@ spec:
can be normalized.
properties:
disableMergeSlashes:
- description: DisableMergeSlashes allows disabling the default
- configuration of merging adjacent slashes in the path. Note
- that slash merging is not part of the HTTP spec and is provided
- for convenience.
+ description: |-
+ DisableMergeSlashes allows disabling the default configuration of merging adjacent
+ slashes in the path.
+ Note that slash merging is not part of the HTTP spec and is provided for convenience.
type: boolean
escapedSlashesAction:
- description: EscapedSlashesAction determines how %2f, %2F, %5c,
- or %5C sequences in the path URI should be handled. The default
- is UnescapeAndRedirect.
+ description: |-
+ EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI
+ should be handled.
+ The default is UnescapeAndRedirect.
enum:
- KeepUnchanged
- RejectRequest
@@ -155,10 +469,12 @@ spec:
type: string
type: object
targetRef:
- description: TargetRef is the name of the Gateway resource this policy
- is being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway. TargetRef
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
@@ -176,24 +492,19 @@ spec:
maxLength: 253
minLength: 1
type: string
- namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -203,32 +514,119 @@ spec:
- kind
- name
type: object
- x-kubernetes-validations:
- - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
- rule: self.group == 'gateway.networking.k8s.io'
- - message: this policy can only have a targetRef.kind of Gateway
- rule: self.kind == 'Gateway'
- - message: this policy does not yet support the sectionName field
- rule: '!has(self.sectionName)'
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ - matchLabels
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
tcpKeepalive:
- description: TcpKeepalive settings associated with the downstream
- client connection. If defined, sets SO_KEEPALIVE on the listener
- socket to enable TCP Keepalives. Disabled by default.
+ description: |-
+ TcpKeepalive settings associated with the downstream client connection.
+ If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives.
+ Disabled by default.
properties:
idleTime:
- description: The duration a connection needs to be idle before
- keep-alive probes start being sent. The duration format is Defaults
- to `7200s`.
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
interval:
- description: The duration between keep-alive probes. Defaults
- to `75s`.
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
probes:
- description: The total number of unacknowledged probes to send
- before deciding the connection is dead. Defaults to 9.
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
format: int32
type: integer
type: object
@@ -238,11 +636,27 @@ spec:
http:
description: Timeout settings for HTTP.
properties:
+ idleTimeout:
+ description: |-
+ IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
requestReceivedTimeout:
- description: The duration envoy waits for the complete request
- reception. This timer starts upon request initiation and
- stops when either the last byte of the request is sent upstream
- or when the response begins.
+ description: |-
+ RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request
+ initiation and stops when either the last byte of the request is sent upstream or when the response begins.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ idleTimeout:
+ description: |-
+ IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no
+ bytes sent or received on either the upstream or downstream connection.
+ Default: 1 hour.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
type: string
type: object
@@ -252,9 +666,13 @@ spec:
the downstream client.
properties:
alpnProtocols:
- description: 'ALPNProtocols supplies the list of ALPN protocols
- that should be exposed by the listener. By default h2 and http/1.1
- are enabled. Supported values are: - http/1.0 - http/1.1 - h2'
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener. By default h2 and http/1.1 are enabled.
+ Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
items:
description: ALPNProtocol specifies the protocol to be negotiated
using ALPN
@@ -265,46 +683,57 @@ spec:
type: string
type: array
ciphers:
- description: 'Ciphers specifies the set of cipher suites supported
- when negotiating TLS 1.0 - 1.2. This setting has no effect for
- TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list
- is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
- - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
- In builds using BoringSSL FIPS the default cipher list is: -
- ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
- - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384'
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
items:
type: string
type: array
clientValidation:
- description: ClientValidation specifies the configuration to validate
- the client initiating the TLS connection to the Gateway listener.
+ description: |-
+ ClientValidation specifies the configuration to validate the client
+ initiating the TLS connection to the Gateway listener.
properties:
caCertificateRefs:
- description: "CACertificateRefs contains one or more references
- to Kubernetes objects that contain TLS certificates of the
- Certificate Authorities that can be used as a trust anchor
- to validate the certificates presented by the client. \n
- A single reference to a Kubernetes ConfigMap or a Kubernetes
- Secret, with the CA certificate in a key named `ca.crt`
- is currently supported. \n References to a resource in different
- namespace are invalid UNLESS there is a ReferenceGrant in
- the target namespace that allows the certificate to be attached."
+ description: |-
+ CACertificateRefs contains one or more references to
+ Kubernetes objects that contain TLS certificates of
+ the Certificate Authorities that can be used
+ as a trust anchor to validate the certificates presented by the client.
+
+ A single reference to a Kubernetes ConfigMap or a Kubernetes Secret,
+ with the CA certificate in a key named `ca.crt` is currently supported.
+
+ References to a resource in different namespace are invalid UNLESS there
+ is a ReferenceGrant in the target namespace that allows the certificate
+ to be attached.
items:
- description: "SecretObjectReference identifies an API object
- including its namespace, defaulting to Secret. \n The
- API object must be valid in the cluster; the Group and
- Kind must be registered in the cluster for this reference
- to be valid. \n References to objects with invalid Group
- and Kind are not valid, and must be rejected by the implementation,
- with appropriate Conditions set on the containing object."
+ description: |-
+ SecretObjectReference identifies an API object including its namespace,
+ defaulting to Secret.
+
+ The API object must be valid in the cluster; the Group and Kind must
+ be registered in the cluster for this reference to be valid.
+
+ References to objects with invalid Group and Kind are not valid, and must
+ be rejected by the implementation, with appropriate Conditions set
+ on the containing object.
properties:
group:
default: ""
- description: Group is the group of the referent. For
- example, "gateway.networking.k8s.io". When unspecified
- or empty string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -322,13 +751,16 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is
- required in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -338,18 +770,27 @@ spec:
type: object
maxItems: 8
type: array
+ optional:
+ description: |-
+ Optional set to true accepts connections even when a client doesn't present a certificate.
+ Defaults to false, which rejects connections without a valid client certificate.
+ type: boolean
type: object
ecdhCurves:
- description: 'ECDHCurves specifies the set of supported ECDH curves.
- In non-FIPS Envoy Proxy builds the default curves are: - X25519
- - P-256 In builds using BoringSSL FIPS the default curve is:
- - P-256'
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
items:
type: string
type: array
maxVersion:
- description: Max specifies the maximal TLS protocol version to
- allow The default is TLS 1.3 if this is not specified.
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
enum:
- Auto
- "1.0"
@@ -358,8 +799,9 @@ spec:
- "1.3"
type: string
minVersion:
- description: Min specifies the minimal TLS protocol version to
- allow. The default is TLS 1.2 if this is not specified.
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
enum:
- Auto
- "1.0"
@@ -367,9 +809,31 @@ spec:
- "1.2"
- "1.3"
type: string
+ session:
+ description: Session defines settings related to TLS session management.
+ properties:
+ resumption:
+ description: |-
+ Resumption determines the proxy's supported TLS session resumption option.
+ By default, Envoy Gateway does not enable session resumption. Use sessionResumption to
+ enable stateful and stateless session resumption. Users should consider security impacts
+ of different resumption methods. Performance gains from resumption are diminished when
+ Envoy proxy is deployed with more than one replica.
+ properties:
+ stateful:
+ description: Stateful defines setting for stateful (session-id
+ based) session resumption
+ type: object
+ stateless:
+ description: Stateless defines setting for stateless (session-ticket
+ based) session resumption
+ type: object
+ type: object
+ type: object
signatureAlgorithms:
- description: SignatureAlgorithms specifies which signature algorithms
- the listener should support.
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
items:
type: string
type: array
@@ -384,176 +848,220 @@ spec:
<= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
: !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
: true'
- required:
- - targetRef
type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true'
+ - message: this policy can only have a targetRef.kind of Gateway
+ rule: 'has(self.targetRef) ? self.targetRef.kind == ''Gateway'' : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true'
+ - message: this policy can only have a targetRefs[*].kind of Gateway
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind == ''Gateway'')
+ : true'
status:
description: Status defines the current status of ClientTrafficPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -565,47 +1073,36 @@ spec:
description: Conditions describes the status of the Policy with
respect to the given Ancestor.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -620,11 +1117,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -642,16 +1134,20 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
new file mode 100644
index 0000000..6baa284
--- /dev/null
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyextensionpolicies.yaml
@@ -0,0 +1,1591 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: envoyextensionpolicies.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ kind: EnvoyExtensionPolicy
+ listKind: EnvoyExtensionPolicyList
+ plural: envoyextensionpolicies
+ shortNames:
+ - eep
+ singular: envoyextensionpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: EnvoyExtensionPolicy allows the user to configure various envoy
+ extensibility options for the Gateway.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of EnvoyExtensionPolicy.
+ properties:
+ extProc:
+ description: |-
+ ExtProc is an ordered list of external processing filters
+ that should added to the envoy filter chain
+ items:
+ description: ExtProc defines the configuration for External Processing
+ filter.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the
+ payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines the time between active
+ health checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected response
+ payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the
+ payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of the
+ payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait for
+ a health check response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a backend
+ host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) : !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' : true'
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base duration
+ for which a host will be ejected on consecutive
+ failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors sets the number
+ of consecutive gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between passive
+ health checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash policy
+ when the consistent hash type is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set for
+ the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header hash policy
+ when the consistent hash type is set to Header.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the header
+ field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is cookie, the cookie
+ field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash''] ?
+ !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol when
+ communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until which
+ entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ failOpen:
+ description: |-
+ FailOpen defines if requests or responses that cannot be processed due to connectivity to the
+ external processor are terminated or passed-through.
+ Default: false
+ type: boolean
+ messageTimeout:
+ description: |-
+ MessageTimeout is the timeout for a response to be returned from the external processor
+ Default: 200ms
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ processingMode:
+ description: |-
+ ProcessingMode defines how request and response body is processed
+ Default: header and body are not sent to the external processor
+ properties:
+ request:
+ description: |-
+ Defines processing mode for requests. If present, request headers are sent. Request body is processed according
+ to the specified mode.
+ properties:
+ body:
+ description: Defines body processing mode
+ enum:
+ - Streamed
+ - Buffered
+ - BufferedPartial
+ type: string
+ type: object
+ response:
+ description: |-
+ Defines processing mode for responses. If present, response headers are sent. Response body is processed according
+ to the specified mode.
+ properties:
+ body:
+ description: Defines body processing mode
+ enum:
+ - Streamed
+ - Buffered
+ - BufferedPartial
+ type: string
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only supports Service and Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''Backend'') : true'
+ - message: BackendRefs only supports Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
+ == "" || f.group == ''gateway.envoyproxy.io'')) : true'
+ maxItems: 16
+ type: array
+ targetRef:
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ - matchLabels
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
+ wasm:
+ description: |-
+ Wasm is a list of Wasm extensions to be loaded by the Gateway.
+ Order matters, as the extensions will be loaded in the order they are
+ defined in this list.
+ items:
+ description: |-
+ Wasm defines a Wasm extension.
+
+ Note: at the moment, Envoy Gateway does not support configuring Wasm runtime.
+ v8 is used as the VM runtime for the Wasm extensions.
+ properties:
+ code:
+ description: Code is the Wasm code for the extension.
+ properties:
+ http:
+ description: |-
+ HTTP is the HTTP URL containing the Wasm code.
+
+ Note that the HTTP server must be accessible from the Envoy proxy.
+ properties:
+ sha256:
+ description: |-
+ SHA256 checksum that will be used to verify the Wasm code.
+
+ If not specified, Envoy Gateway will not verify the downloaded Wasm code.
+ kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+ type: string
+ url:
+ description: URL is the URL containing the Wasm code.
+ pattern: ^((https?:)(\/\/\/?)([\w]*(?::[\w]*)?@)?([\d\w\.-]+)(?::(\d+))?)?([\/\\\w\.()-]*)?(?:([?][^#]*)?(#.*)?)*
+ type: string
+ required:
+ - url
+ type: object
+ image:
+ description: |-
+ Image is the OCI image containing the Wasm code.
+
+ Note that the image must be accessible from the Envoy Gateway.
+ properties:
+ pullSecretRef:
+ description: |-
+ PullSecretRef is a reference to the secret containing the credentials to pull the image.
+ Only support Kubernetes Secret resource from the same namespace.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example
+ "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: only support Secret kind.
+ rule: self.kind == 'Secret'
+ sha256:
+ description: |-
+ SHA256 checksum that will be used to verify the OCI image.
+
+ It must match the digest of the OCI image.
+
+ If not specified, Envoy Gateway will not verify the downloaded OCI image.
+ kubebuilder:validation:Pattern=`^[a-f0-9]{64}$`
+ type: string
+ url:
+ description: |-
+ URL is the URL of the OCI image.
+ URL can be in the format of `registry/image:tag` or `registry/image@sha256:digest`.
+ type: string
+ required:
+ - url
+ type: object
+ pullPolicy:
+ description: |-
+ PullPolicy is the policy to use when pulling the Wasm module by either the HTTP or Image source.
+ This field is only applicable when the SHA256 field is not set.
+
+ If not specified, the default policy is IfNotPresent except for OCI images whose tag is latest.
+
+ Note: EG does not update the Wasm module every time an Envoy proxy requests
+ the Wasm module even if the pull policy is set to Always.
+ It only updates the Wasm module when the EnvoyExtension resource version changes.
+ enum:
+ - IfNotPresent
+ - Always
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - Image
+ - enum:
+ - HTTP
+ - Image
+ - ConfigMap
+ description: |-
+ Type is the type of the source of the Wasm code.
+ Valid WasmCodeSourceType values are "HTTP" or "Image".
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If type is HTTP, http field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) : !has(self.http)'
+ - message: If type is Image, image field needs to be set.
+ rule: 'self.type == ''Image'' ? has(self.image) : !has(self.image)'
+ config:
+ description: |-
+ Config is the configuration for the Wasm extension.
+ This configuration will be passed as a JSON string to the Wasm extension.
+ x-kubernetes-preserve-unknown-fields: true
+ failOpen:
+ default: false
+ description: |-
+ FailOpen is a switch used to control the behavior when a fatal error occurs
+ during the initialization or the execution of the Wasm extension.
+ If FailOpen is set to true, the system bypasses the Wasm extension and
+ allows the traffic to pass through. Otherwise, if it is set to false or
+ not set (defaulting to false), the system blocks the traffic and returns
+ an HTTP 5xx error.
+ type: boolean
+ name:
+ description: |-
+ Name is a unique name for this Wasm extension. It is used to identify the
+ Wasm extension if multiple extensions are handled by the same vm_id and root_id.
+ It's also used for logging/debugging.
+ If not specified, EG will generate a unique name for the Wasm extension.
+ type: string
+ rootID:
+ description: |-
+ RootID is a unique ID for a set of extensions in a VM which will share a
+ RootContext and Contexts if applicable (e.g., an Wasm HttpFilter and an Wasm AccessLog).
+ If left blank, all extensions with a blank root_id with the same vm_id will share Context(s).
+
+ Note: RootID must match the root_id parameter used to register the Context in the Wasm code.
+ type: string
+ required:
+ - code
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true'
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
+ ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''] : true'
+ - message: this policy does not yet support the sectionName field
+ rule: 'has(self.targetRef) ? !has(self.targetRef.sectionName) : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true '
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute/TCPRoute/UDPRoute/TLSRoute
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
+ ''HTTPRoute'', ''GRPCRoute'', ''UDPRoute'', ''TCPRoute'', ''TLSRoute''])
+ : true '
+ - message: this policy does not yet support the sectionName field
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName))
+ : true'
+ status:
+ description: Status defines the current status of EnvoyExtensionPolicy.
+ properties:
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
+ items:
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
+ properties:
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
+ type: string
+ required:
+ - ancestorRef
+ - controllerName
+ type: object
+ maxItems: 16
+ type: array
+ required:
+ - ancestors
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
index f157a84..591e61a 100644
--- a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoypatchpolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: envoypatchpolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -28,18 +28,24 @@ spec:
name: v1alpha1
schema:
openAPIV3Schema:
- description: EnvoyPatchPolicy allows the user to modify the generated Envoy
- xDS resources by Envoy Gateway using this patch API
+ description: |-
+ EnvoyPatchPolicy allows the user to modify the generated Envoy xDS
+ resources by Envoy Gateway using this patch API
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@@ -49,8 +55,9 @@ spec:
jsonPatches:
description: JSONPatch defines the JSONPatch configuration.
items:
- description: EnvoyJSONPatchConfig defines the configuration for
- patching a Envoy xDS Resource using JSONPatch semantic
+ description: |-
+ EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource
+ using JSONPatch semantic
properties:
name:
description: Name is the name of the resource
@@ -59,10 +66,19 @@ spec:
description: Patch defines the JSON Patch Operation
properties:
from:
- description: From is the source location of the value to
- be copied or moved. Only valid for move or copy operations
- Refer to https://datatracker.ietf.org/doc/html/rfc6901
- for more details.
+ description: |-
+ From is the source location of the value to be copied or moved. Only valid
+ for move or copy operations
+ Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ type: string
+ jsonPath:
+ description: |-
+ JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+ It produces one or more JSONPointer expressions based on the given JSON document.
+ If no JSONPointer is found, it will result in an error.
+ If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+ This is useful when creating a property that does not yet exist in the JSON document.
+ The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
type: string
op:
description: Op is the type of operation to perform
@@ -75,17 +91,17 @@ spec:
- test
type: string
path:
- description: Path is the location of the target document/field
- where the operation will be performed Refer to https://datatracker.ietf.org/doc/html/rfc6901
- for more details.
+ description: |-
+ Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ It specifies the location of the target document/field where the operation will be performed
type: string
value:
- description: Value is the new value of the path location.
- The value is only used by the `add` and `replace` operations.
+ description: |-
+ Value is the new value of the path location. The value is only used by
+ the `add` and `replace` operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- - path
type: object
type:
description: Type is the typed URL of the Envoy xDS Resource
@@ -103,18 +119,23 @@ spec:
type: object
type: array
priority:
- description: Priority of the EnvoyPatchPolicy. If multiple EnvoyPatchPolicies
- are applied to the same TargetRef, they will be applied in the ascending
- order of the priority i.e. int32.min has the highest priority and
- int32.max has the lowest priority. Defaults to 0.
+ description: |-
+ Priority of the EnvoyPatchPolicy.
+ If multiple EnvoyPatchPolicies are applied to the same
+ TargetRef, they will be applied in the ascending order of
+ the priority i.e. int32.min has the highest priority and
+ int32.max has the lowest priority.
+ Defaults to 0.
format: int32
type: integer
targetRef:
- description: TargetRef is the name of the Gateway API resource this
- policy is being attached to. By default attaching to Gateway is
- supported and when mergeGateways is enabled it should attach to
- GatewayClass. This Policy and the TargetRef MUST be in the same
- namespace for this Policy to have effect and be applied to the Gateway
+ description: |-
+ TargetRef is the name of the Gateway API resource this policy
+ is being attached to.
+ By default, attaching to Gateway is supported and
+ when mergeGateways is enabled it should attach to GatewayClass.
+ This Policy and the TargetRef MUST be in the same namespace
+ for this Policy to have effect and be applied to the Gateway
TargetRef
properties:
group:
@@ -133,23 +154,15 @@ spec:
maxLength: 253
minLength: 1
type: string
- namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
required:
- group
- kind
- name
type: object
type:
- description: Type decides the type of patch. Valid EnvoyPatchType
- values are "JSONPatch".
+ description: |-
+ Type decides the type of patch.
+ Valid EnvoyPatchType values are "JSONPatch".
enum:
- JSONPatch
type: string
@@ -160,79 +173,298 @@ spec:
status:
description: Status defines the current status of EnvoyPatchPolicy.
properties:
- conditions:
- description: Conditions describe the current conditions of the EnvoyPatchPolicy.
+ ancestors:
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource. --- This struct is intended for direct
- use as an array at the field path .status.conditions. For example,
- \n type FooStatus struct{ // Represents the observations of a
- foo's current state. // Known .status.conditions.type are: \"Available\",
- \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
- lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should be when
- the underlying condition changed. If that is not known, then
- using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance, if .metadata.generation
- is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the current
- state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: reason contains a programmatic identifier indicating
- the reason for the condition's last transition. Producers
- of specific condition types may define expected values and
- meanings for this field, and whether the values are considered
- a guaranteed API. The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
+ ancestorRef:
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Gateway
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - name
+ type: object
+ conditions:
+ description: Conditions describes the status of the Policy with
+ respect to the given Ancestor.
+ items:
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False,
+ Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ maxItems: 8
+ minItems: 1
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ controllerName:
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
+ maxLength: 253
minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across resources
- like Available, but because arbitrary conditions can be useful
- (see .node.status.conditions), the ability to deconflict is
- important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
type: string
required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
+ - ancestorRef
+ - controllerName
type: object
- maxItems: 8
+ maxItems: 16
type: array
- x-kubernetes-list-map-keys:
- - type
- x-kubernetes-list-type: map
+ required:
+ - ancestors
type: object
required:
- spec
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
index ad32967..4277092 100644
--- a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: envoyproxies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -24,63 +24,378 @@ spec:
description: EnvoyProxy is the schema for the envoyproxies API.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: EnvoyProxySpec defines the desired state of EnvoyProxy.
properties:
+ backendTLS:
+ description: |-
+ BackendTLS is the TLS configuration for the Envoy proxy to use when connecting to backends.
+ These settings are applied on backends for which TLS policies are specified.
+ properties:
+ alpnProtocols:
+ description: |-
+ ALPNProtocols supplies the list of ALPN protocols that should be
+ exposed by the listener. By default h2 and http/1.1 are enabled.
+ Supported values are:
+ - http/1.0
+ - http/1.1
+ - h2
+ items:
+ description: ALPNProtocol specifies the protocol to be negotiated
+ using ALPN
+ enum:
+ - http/1.0
+ - http/1.1
+ - h2
+ type: string
+ type: array
+ ciphers:
+ description: |-
+ Ciphers specifies the set of cipher suites supported when
+ negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
+ In non-FIPS Envoy Proxy builds the default cipher list is:
+ - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
+ - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ In builds using BoringSSL FIPS the default cipher list is:
+ - ECDHE-ECDSA-AES128-GCM-SHA256
+ - ECDHE-RSA-AES128-GCM-SHA256
+ - ECDHE-ECDSA-AES256-GCM-SHA384
+ - ECDHE-RSA-AES256-GCM-SHA384
+ items:
+ type: string
+ type: array
+ clientCertificateRef:
+ description: |-
+ ClientCertificateRef defines the reference to a Kubernetes Secret that contains
+ the client certificate and private key for Envoy to use when connecting to
+ backend services and external services, such as ExtAuth, ALS, OpenTelemetry, etc.
+ This secret should be located within the same namespace as the Envoy proxy resource that references it.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Secret
+ description: Kind is kind of the referent. For example "Secret".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ ecdhCurves:
+ description: |-
+ ECDHCurves specifies the set of supported ECDH curves.
+ In non-FIPS Envoy Proxy builds the default curves are:
+ - X25519
+ - P-256
+ In builds using BoringSSL FIPS the default curve is:
+ - P-256
+ items:
+ type: string
+ type: array
+ maxVersion:
+ description: |-
+ Max specifies the maximal TLS protocol version to allow
+ The default is TLS 1.3 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ minVersion:
+ description: |-
+ Min specifies the minimal TLS protocol version to allow.
+ The default is TLS 1.2 if this is not specified.
+ enum:
+ - Auto
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ type: string
+ signatureAlgorithms:
+ description: |-
+ SignatureAlgorithms specifies which signature algorithms the listener should
+ support.
+ items:
+ type: string
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: setting ciphers has no effect if the minimum possible TLS
+ version is 1.3
+ rule: 'has(self.minVersion) && self.minVersion == ''1.3'' ? !has(self.ciphers)
+ : true'
+ - message: minVersion must be smaller or equal to maxVersion
+ rule: 'has(self.minVersion) && has(self.maxVersion) ? {"Auto":0,"1.0":1,"1.1":2,"1.2":3,"1.3":4}[self.minVersion]
+ <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : !has(self.minVersion) && has(self.maxVersion) ? 3 <= {"1.0":1,"1.1":2,"1.2":3,"1.3":4,"Auto":5}[self.maxVersion]
+ : true'
bootstrap:
- description: Bootstrap defines the Envoy Bootstrap as a YAML string.
+ description: |-
+ Bootstrap defines the Envoy Bootstrap as a YAML string.
Visit https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap
- to learn more about the syntax. If set, this is the Bootstrap configuration
- used for the managed Envoy Proxy fleet instead of the default Bootstrap
- configuration set by Envoy Gateway. Some fields within the Bootstrap
- that are required to communicate with the xDS Server (Envoy Gateway)
- and receive xDS resources from it are not configurable and will
- result in the `EnvoyProxy` resource being rejected. Backward compatibility
- across minor versions is not guaranteed. We strongly recommend using
- `egctl x translate` to generate a `EnvoyProxy` resource with the
- `Bootstrap` field set to the default Bootstrap configuration used.
- You can edit this configuration, and rerun `egctl x translate` to
- ensure there are no validation errors.
+ to learn more about the syntax.
+ If set, this is the Bootstrap configuration used for the managed Envoy Proxy fleet instead of the default Bootstrap configuration
+ set by Envoy Gateway.
+ Some fields within the Bootstrap that are required to communicate with the xDS Server (Envoy Gateway) and receive xDS resources
+ from it are not configurable and will result in the `EnvoyProxy` resource being rejected.
+ Backward compatibility across minor versions is not guaranteed.
+ We strongly recommend using `egctl x translate` to generate a `EnvoyProxy` resource with the `Bootstrap` field set to the default
+ Bootstrap configuration used. You can edit this configuration, and rerun `egctl x translate` to ensure there are no validation errors.
properties:
+ jsonPatches:
+ description: |-
+ JSONPatches is an array of JSONPatches to be applied to the default bootstrap. Patches are
+ applied in the order in which they are defined.
+ items:
+ description: |-
+ JSONPatchOperation defines the JSON Patch Operation as defined in
+ https://datatracker.ietf.org/doc/html/rfc6902
+ properties:
+ from:
+ description: |-
+ From is the source location of the value to be copied or moved. Only valid
+ for move or copy operations
+ Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ type: string
+ jsonPath:
+ description: |-
+ JSONPath is a JSONPath expression. Refer to https://datatracker.ietf.org/doc/rfc9535/ for more details.
+ It produces one or more JSONPointer expressions based on the given JSON document.
+ If no JSONPointer is found, it will result in an error.
+ If the 'Path' property is also set, it will be appended to the resulting JSONPointer expressions from the JSONPath evaluation.
+ This is useful when creating a property that does not yet exist in the JSON document.
+ The final JSONPointer expressions specifies the locations in the target document/field where the operation will be applied.
+ type: string
+ op:
+ description: Op is the type of operation to perform
+ enum:
+ - add
+ - remove
+ - replace
+ - move
+ - copy
+ - test
+ type: string
+ path:
+ description: |-
+ Path is a JSONPointer expression. Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details.
+ It specifies the location of the target document/field where the operation will be performed
+ type: string
+ value:
+ description: |-
+ Value is the new value of the path location. The value is only used by
+ the `add` and `replace` operations.
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - op
+ type: object
+ type: array
type:
default: Replace
- description: Type is the type of the bootstrap configuration,
- it should be either Replace or Merge. If unspecified, it defaults
- to Replace.
+ description: |-
+ Type is the type of the bootstrap configuration, it should be either Replace, Merge, or JSONPatch.
+ If unspecified, it defaults to Replace.
enum:
- Merge
- Replace
+ - JSONPatch
type: string
value:
description: Value is a YAML string of the bootstrap.
type: string
- required:
- - value
type: object
+ x-kubernetes-validations:
+ - message: provided bootstrap patch doesn't match the configured patch
+ type
+ rule: 'self.type == ''JSONPatch'' ? self.jsonPatches.size() > 0
+ : has(self.value)'
concurrency:
- description: Concurrency defines the number of worker threads to run.
- If unset, it defaults to the number of cpuset threads on the platform.
+ description: |-
+ Concurrency defines the number of worker threads to run. If unset, it defaults to
+ the number of cpuset threads on the platform.
format: int32
type: integer
extraArgs:
- description: 'ExtraArgs defines additional command line options that
- are provided to Envoy. More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
- Note: some command line options are used internally(e.g. --log-level)
- so they cannot be provided here.'
+ description: |-
+ ExtraArgs defines additional command line options that are provided to Envoy.
+ More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
+ Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here.
items:
type: string
type: array
+ filterOrder:
+ description: |-
+ FilterOrder defines the order of filters in the Envoy proxy's HTTP filter chain.
+ The FilterPosition in the list will be applied in the order they are defined.
+ If unspecified, the default filter order is applied.
+ Default filter order is:
+
+ - envoy.filters.http.health_check
+
+ - envoy.filters.http.fault
+
+ - envoy.filters.http.cors
+
+ - envoy.filters.http.ext_authz
+
+ - envoy.filters.http.basic_auth
+
+ - envoy.filters.http.oauth2
+
+ - envoy.filters.http.jwt_authn
+
+ - envoy.filters.http.stateful_session
+
+ - envoy.filters.http.ext_proc
+
+ - envoy.filters.http.wasm
+
+ - envoy.filters.http.rbac
+
+ - envoy.filters.http.local_ratelimit
+
+ - envoy.filters.http.ratelimit
+
+ - envoy.filters.http.custom_response
+
+ - envoy.filters.http.router
+
+ Note: "envoy.filters.http.router" cannot be reordered, it's always the last filter in the chain.
+ items:
+ description: FilterPosition defines the position of an Envoy HTTP
+ filter in the filter chain.
+ properties:
+ after:
+ description: |-
+ After defines the filter that should come after the filter.
+ Only one of Before or After must be set.
+ enum:
+ - envoy.filters.http.health_check
+ - envoy.filters.http.fault
+ - envoy.filters.http.cors
+ - envoy.filters.http.ext_authz
+ - envoy.filters.http.basic_auth
+ - envoy.filters.http.oauth2
+ - envoy.filters.http.jwt_authn
+ - envoy.filters.http.stateful_session
+ - envoy.filters.http.ext_proc
+ - envoy.filters.http.wasm
+ - envoy.filters.http.rbac
+ - envoy.filters.http.local_ratelimit
+ - envoy.filters.http.ratelimit
+ - envoy.filters.http.custom_response
+ type: string
+ before:
+ description: |-
+ Before defines the filter that should come before the filter.
+ Only one of Before or After must be set.
+ enum:
+ - envoy.filters.http.health_check
+ - envoy.filters.http.fault
+ - envoy.filters.http.cors
+ - envoy.filters.http.ext_authz
+ - envoy.filters.http.basic_auth
+ - envoy.filters.http.oauth2
+ - envoy.filters.http.jwt_authn
+ - envoy.filters.http.stateful_session
+ - envoy.filters.http.ext_proc
+ - envoy.filters.http.wasm
+ - envoy.filters.http.rbac
+ - envoy.filters.http.local_ratelimit
+ - envoy.filters.http.ratelimit
+ - envoy.filters.http.custom_response
+ type: string
+ name:
+ description: Name of the filter.
+ enum:
+ - envoy.filters.http.health_check
+ - envoy.filters.http.fault
+ - envoy.filters.http.cors
+ - envoy.filters.http.ext_authz
+ - envoy.filters.http.basic_auth
+ - envoy.filters.http.oauth2
+ - envoy.filters.http.jwt_authn
+ - envoy.filters.http.stateful_session
+ - envoy.filters.http.ext_proc
+ - envoy.filters.http.wasm
+ - envoy.filters.http.rbac
+ - envoy.filters.http.local_ratelimit
+ - envoy.filters.http.ratelimit
+ - envoy.filters.http.custom_response
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: one of before or after must be specified
+ rule: (has(self.before) || has(self.after))
+ - message: only one of before or after can be specified
+ rule: (has(self.before) && !has(self.after)) || (!has(self.before)
+ && has(self.after))
+ type: array
+ ipFamily:
+ description: |-
+ IPFamily specifies the IP family for the EnvoyProxy fleet.
+ This setting only affects the Gateway listener port and does not impact
+ other aspects of the Envoy proxy configuration.
+ If not specified, the system will operate as follows:
+ - It defaults to IPv4 only.
+ - IPv6 and dual-stack environments are not supported in this default configuration.
+ Note: To enable IPv6 or dual-stack functionality, explicit configuration is required.
+ enum:
+ - IPv4
+ - IPv6
+ - DualStack
+ type: string
logging:
default:
level:
@@ -99,36 +414,35 @@ spec:
type: string
default:
default: warn
- description: 'Level is a map of logging level per component, where
- the component is the key and the log level is the value. If
- unspecified, defaults to "default: warn".'
+ description: |-
+ Level is a map of logging level per component, where the component is the key
+ and the log level is the value. If unspecified, defaults to "default: warn".
type: object
type: object
mergeGateways:
- description: MergeGateways defines if Gateway resources should be
- merged onto the same Envoy Proxy Infrastructure. Setting this field
- to true would merge all Gateway Listeners under the parent Gateway
- Class. This means that the port, protocol and hostname tuple must
- be unique for every listener. If a duplicate listener is detected,
- the newer listener (based on timestamp) will be rejected and its
- status will be updated with a "Accepted=False" condition.
+ description: |-
+ MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure.
+ Setting this field to true would merge all Gateway Listeners under the parent Gateway Class.
+ This means that the port, protocol and hostname tuple must be unique for every listener.
+ If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a "Accepted=False" condition.
type: boolean
provider:
- description: Provider defines the desired resource provider and provider-specific
- configuration. If unspecified, the "Kubernetes" resource provider
- is used with default configuration parameters.
+ description: |-
+ Provider defines the desired resource provider and provider-specific configuration.
+ If unspecified, the "Kubernetes" resource provider is used with default configuration
+ parameters.
properties:
kubernetes:
- description: Kubernetes defines the desired state of the Kubernetes
- resource provider. Kubernetes provides infrastructure resources
- for running the data plane, e.g. Envoy proxy. If unspecified
- and type is "Kubernetes", default settings for managed Kubernetes
- resources are applied.
+ description: |-
+ Kubernetes defines the desired state of the Kubernetes resource provider.
+ Kubernetes provides infrastructure resources for running the data plane,
+ e.g. Envoy proxy. If unspecified and type is "Kubernetes", default settings
+ for managed Kubernetes resources are applied.
properties:
- envoyDeployment:
- description: EnvoyDeployment defines the desired state of
- the Envoy deployment resource. If unspecified, default settings
- for the managed Envoy deployment resource are applied.
+ envoyDaemonSet:
+ description: |-
+ EnvoyDaemonSet defines the desired state of the Envoy daemonset resource.
+ Disabled by default, a deployment resource is used instead to provision the Envoy Proxy fleet
properties:
container:
description: Container defines the desired specification
@@ -146,18 +460,16 @@ spec:
Must be a C_IDENTIFIER.
type: string
value:
- description: 'Variable references $(VAR_NAME)
- are expanded using the previously defined
- environment variables in the container and
- any service environment variables. If a variable
- cannot be resolved, the reference in the input
- string will be unchanged. Double $$ are reduced
- to a single $, which allows for escaping the
- $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
- produce the string literal "$(VAR_NAME)".
- Escaped references will never be expanded,
- regardless of whether the variable exists
- or not. Defaults to "".'
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
type: string
valueFrom:
description: Source for the environment variable's
@@ -170,10 +482,13 @@ spec:
description: The key to select.
type: string
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
optional:
description: Specify whether the ConfigMap
@@ -184,11 +499,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
fieldRef:
- description: 'Selects a field of the pod:
- supports metadata.name, metadata.namespace,
- `metadata.labels['''']`, `metadata.annotations['''']`,
- spec.nodeName, spec.serviceAccountName,
- status.hostIP, status.podIP, status.podIPs.'
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
properties:
apiVersion:
description: Version of the schema the
@@ -204,11 +517,9 @@ spec:
type: object
x-kubernetes-map-type: atomic
resourceFieldRef:
- description: 'Selects a resource of the
- container: only resources limits and requests
- (limits.cpu, limits.memory, limits.ephemeral-storage,
- requests.cpu, requests.memory and requests.ephemeral-storage)
- are currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
properties:
containerName:
description: 'Container name: required
@@ -241,10 +552,13 @@ spec:
key.
type: string
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
optional:
description: Specify whether the Secret
@@ -264,25 +578,34 @@ spec:
image to be used, instead of the default image.
type: string
resources:
- description: 'Resources required by this container.
- More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
properties:
claims:
- description: "Claims lists the names of resources,
- defined in spec.resourceClaims, that are used
- by this container. \n This is an alpha field
- and requires enabling the DynamicResourceAllocation
- feature gate. \n This field is immutable. It
- can only be set for containers."
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry
in PodSpec.ResourceClaims.
properties:
name:
- description: Name must match the name of
- one entry in pod.spec.resourceClaims of
- the Pod where this field is used. It makes
- that resource available inside a container.
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
type: string
required:
- name
@@ -298,8 +621,9 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount
- of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
@@ -308,37 +632,58 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum amount
- of compute resources required. If Requests is
- omitted for a container, it defaults to Limits
- if that is explicitly specified, otherwise to
- an implementation-defined value. Requests cannot
- exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
securityContext:
- description: 'SecurityContext defines the security
- options the container should be run with. If set,
- the fields of SecurityContext override the equivalent
- fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
properties:
allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls
- whether a process can gain more privileges than
- its parent process. This bool directly controls
- if the no_new_privs flag will be set on the
- container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run
- as Privileged 2) has CAP_SYS_ADMIN Note that
- this field cannot be set when spec.os.name is
- windows.'
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
- description: The capabilities to add/drop when
- running containers. Defaults to the default
- set of capabilities granted by the container
- runtime. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
add:
description: Added capabilities
@@ -347,6 +692,7 @@ spec:
capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
@@ -354,71 +700,63 @@ spec:
capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
- description: Run container in privileged mode.
- Processes in privileged containers are essentially
- equivalent to root on the host. Defaults to
- false. Note that this field cannot be set when
- spec.os.name is windows.
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
procMount:
- description: procMount denotes the type of proc
- mount to use for the containers. The default
- is DefaultProcMount which uses the container
- runtime defaults for readonly paths and masked
- paths. This requires the ProcMountType feature
- flag to be enabled. Note that this field cannot
- be set when spec.os.name is windows.
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
type: string
readOnlyRootFilesystem:
- description: Whether this container has a read-only
- root filesystem. Default is false. Note that
- this field cannot be set when spec.os.name is
- windows.
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
runAsGroup:
- description: The GID to run the entrypoint of
- the container process. Uses runtime default
- if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
- description: Indicates that the container must
- run as a non-root user. If true, the Kubelet
- will validate the image at runtime to ensure
- that it does not run as UID 0 (root) and fail
- to start the container if it does. If unset
- or false, no such validation will be performed.
- May also be set in PodSecurityContext. If set
- in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence.
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
- description: The UID to run the entrypoint of
- the container process. Defaults to user specified
- in image metadata if unspecified. May also be
- set in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence. Note that
- this field cannot be set when spec.os.name is
- windows.
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
- description: The SELinux context to be applied
- to the container. If unspecified, the container
- runtime will allocate a random SELinux context
- for each container. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label
@@ -438,115 +776,124 @@ spec:
type: string
type: object
seccompProfile:
- description: The seccomp options to use by this
- container. If seccomp options are provided at
- both the pod & container level, the container
- options override the pod options. Note that
- this field cannot be set when spec.os.name is
- windows.
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
- description: localhostProfile indicates a
- profile defined in a file on the node should
- be used. The profile must be preconfigured
- on the node to work. Must be a descending
- path, relative to the kubelet's configured
- seccomp profile location. Must be set if
- type is "Localhost". Must NOT be set for
- any other type.
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
- description: "type indicates which kind of
- seccomp profile will be applied. Valid options
- are: \n Localhost - a profile defined in
- a file on the node should be used. RuntimeDefault
- - the container runtime default profile
- should be used. Unconfined - no profile
- should be applied."
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
type: string
required:
- type
type: object
windowsOptions:
- description: The Windows specific settings applied
- to all containers. If unspecified, the options
- from the PodSecurityContext will be used. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is linux.
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
- description: GMSACredentialSpec is where the
- GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
- inlines the contents of the GMSA credential
- spec named by the GMSACredentialSpecName
- field.
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the
name of the GMSA credential spec to use.
type: string
hostProcess:
- description: HostProcess determines if a container
- should be run as a 'Host Process' container.
- All of a Pod's containers must have the
- same effective HostProcess value (it is
- not allowed to have a mix of HostProcess
- containers and non-HostProcess containers).
- In addition, if HostProcess is true then
- HostNetwork must also be set to true.
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
- description: The UserName in Windows to run
- the entrypoint of the container process.
- Defaults to the user specified in image
- metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
volumeMounts:
- description: VolumeMounts are volumes to mount into
- the container's filesystem. Cannot be updated.
+ description: |-
+ VolumeMounts are volumes to mount into the container's filesystem.
+ Cannot be updated.
items:
description: VolumeMount describes a mounting of
a Volume within a container.
properties:
mountPath:
- description: Path within the container at which
- the volume should be mounted. Must not contain
- ':'.
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
type: string
mountPropagation:
- description: mountPropagation determines how
- mounts are propagated from the host to container
- and the other way around. When not set, MountPropagationNone
- is used. This field is beta in 1.10.
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a Volume.
type: string
readOnly:
- description: Mounted read-only if true, read-write
- otherwise (false or unspecified). Defaults
- to false.
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
- description: Path within the volume from which
- the container's volume should be mounted.
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
type: string
subPathExpr:
- description: Expanded path within the volume
- from which the container's volume should be
- mounted. Behaves similarly to SubPath but
- environment variable references $(VAR_NAME)
- are expanded using the container's environment.
- Defaults to "" (volume's root). SubPathExpr
- and SubPath are mutually exclusive.
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
type: string
required:
- mountPath
@@ -554,319 +901,4118 @@ spec:
type: object
type: array
type: object
- initContainers:
- description: 'List of initialization containers belonging
- to the pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/'
- items:
- description: A single application container that you
- want to run within a pod.
- properties:
- args:
- description: 'Arguments to the entrypoint. The container
- image''s CMD is used if this is not provided.
- Variable references $(VAR_NAME) are expanded using
- the container''s environment. If a variable cannot
- be resolved, the reference in the input string
- will be unchanged. Double $$ are reduced to a
- single $, which allows for escaping the $(VAR_NAME)
- syntax: i.e. "$$(VAR_NAME)" will produce the string
- literal "$(VAR_NAME)". Escaped references will
- never be expanded, regardless of whether the variable
- exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
- items:
- type: string
- type: array
- command:
- description: 'Entrypoint array. Not executed within
- a shell. The container image''s ENTRYPOINT is
- used if this is not provided. Variable references
- $(VAR_NAME) are expanded using the container''s
- environment. If a variable cannot be resolved,
- the reference in the input string will be unchanged.
- Double $$ are reduced to a single $, which allows
- for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)"
- will produce the string literal "$(VAR_NAME)".
- Escaped references will never be expanded, regardless
- of whether the variable exists or not. Cannot
- be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
- items:
- type: string
- type: array
- env:
- description: List of environment variables to set
- in the container. Cannot be updated.
- items:
- description: EnvVar represents an environment
- variable present in a Container.
- properties:
- name:
- description: Name of the environment variable.
- Must be a C_IDENTIFIER.
- type: string
- value:
- description: 'Variable references $(VAR_NAME)
- are expanded using the previously defined
- environment variables in the container and
- any service environment variables. If a
- variable cannot be resolved, the reference
- in the input string will be unchanged. Double
- $$ are reduced to a single $, which allows
- for escaping the $(VAR_NAME) syntax: i.e.
- "$$(VAR_NAME)" will produce the string literal
- "$(VAR_NAME)". Escaped references will never
- be expanded, regardless of whether the variable
- exists or not. Defaults to "".'
- type: string
- valueFrom:
- description: Source for the environment variable's
- value. Cannot be used if value is not empty.
- properties:
- configMapKeyRef:
- description: Selects a key of a ConfigMap.
- properties:
- key:
- description: The key to select.
- type: string
- name:
- description: 'Name of the referent.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
- type: string
- optional:
- description: Specify whether the ConfigMap
- or its key must be defined
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- fieldRef:
- description: 'Selects a field of the pod:
- supports metadata.name, metadata.namespace,
- `metadata.labels['''']`, `metadata.annotations['''']`,
- spec.nodeName, spec.serviceAccountName,
- status.hostIP, status.podIP, status.podIPs.'
- properties:
- apiVersion:
- description: Version of the schema
- the FieldPath is written in terms
- of, defaults to "v1".
- type: string
- fieldPath:
- description: Path of the field to
- select in the specified API version.
- type: string
- required:
- - fieldPath
- type: object
- x-kubernetes-map-type: atomic
- resourceFieldRef:
- description: 'Selects a resource of the
- container: only resources limits and
- requests (limits.cpu, limits.memory,
- limits.ephemeral-storage, requests.cpu,
- requests.memory and requests.ephemeral-storage)
- are currently supported.'
- properties:
- containerName:
- description: 'Container name: required
- for volumes, optional for env vars'
- type: string
- divisor:
- anyOf:
- - type: integer
- - type: string
- description: Specifies the output
- format of the exposed resources,
- defaults to "1"
- pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
- x-kubernetes-int-or-string: true
- resource:
- description: 'Required: resource to
- select'
- type: string
- required:
- - resource
- type: object
- x-kubernetes-map-type: atomic
- secretKeyRef:
- description: Selects a key of a secret
- in the pod's namespace
- properties:
- key:
- description: The key of the secret
- to select from. Must be a valid
- secret key.
- type: string
- name:
- description: 'Name of the referent.
- More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
- type: string
- optional:
- description: Specify whether the Secret
- or its key must be defined
- type: boolean
- required:
- - key
- type: object
- x-kubernetes-map-type: atomic
- type: object
- required:
- - name
- type: object
- type: array
- envFrom:
- description: List of sources to populate environment
- variables in the container. The keys defined within
- a source must be a C_IDENTIFIER. All invalid keys
- will be reported as an event when the container
- is starting. When a key exists in multiple sources,
- the value associated with the last source will
- take precedence. Values defined by an Env with
- a duplicate key will take precedence. Cannot be
- updated.
- items:
- description: EnvFromSource represents the source
- of a set of ConfigMaps
+ name:
+ description: |-
+ Name of the daemonSet.
+ When unset, this defaults to an autogenerated name.
+ type: string
+ patch:
+ description: Patch defines how to perform the patch operation
+ to daemonset
+ properties:
+ type:
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
+ type: string
+ value:
+ description: Object contains the raw configuration
+ for merged object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - value
+ type: object
+ pod:
+ description: Pod defines the desired specification of
+ pod.
+ properties:
+ affinity:
+ description: If specified, the pod's scheduling constraints.
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling
+ rules for the pod.
properties:
- configMapRef:
- description: The ConfigMap to select from
- properties:
- name:
- description: 'Name of the referent. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
- type: string
- optional:
- description: Specify whether the ConfigMap
- must be defined
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- prefix:
- description: An optional identifier to prepend
- to each key in the ConfigMap. Must be a
- C_IDENTIFIER.
- type: string
- secretRef:
- description: The Secret to select from
- properties:
- name:
- description: 'Name of the referent. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
- type: string
- optional:
- description: Specify whether the Secret
- must be defined
- type: boolean
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: array
- image:
- description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images
- This field is optional to allow higher level config
- management to default or override container images
- in workload controllers like Deployments and StatefulSets.'
- type: string
- imagePullPolicy:
- description: 'Image pull policy. One of Always,
- Never, IfNotPresent. Defaults to Always if :latest
- tag is specified, or IfNotPresent otherwise. Cannot
- be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
- type: string
- lifecycle:
- description: Actions that the management system
- should take in response to container lifecycle
- events. Cannot be updated.
- properties:
- postStart:
- description: 'PostStart is called immediately
- after a container is created. If the handler
- fails, the container is terminated and restarted
- according to its restart policy. Other management
- of the container blocks until the hook completes.
- More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
- properties:
- exec:
- description: Exec specifies the action to
- take.
- properties:
- command:
- description: Command is the command
- line to execute inside the container,
- the working directory for the command is
- root ('/') in the container's filesystem.
- The command is simply exec'd, it is
- not run inside a shell, so traditional
- shell instructions ('|', etc) won't
- work. To use a shell, you need to
- explicitly call out to that shell.
- Exit status of 0 is treated as live/healthy
- and non-zero is unhealthy.
- items:
- type: string
- type: array
- type: object
- httpGet:
- description: HTTPGet specifies the http
- request to perform.
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
- host:
- description: Host name to connect to,
- defaults to the pod IP. You probably
- want to set "Host" in httpHeaders
- instead.
- type: string
- httpHeaders:
- description: Custom headers to set in
- the request. HTTP allows repeated
- headers.
- items:
- description: HTTPHeader describes
- a custom header to be used in HTTP
- probes
- properties:
- name:
- description: The header field
- name. This will be canonicalized
- upon output, so case-variant
- names will be understood as
- the same header.
- type: string
- value:
- description: The header field
- value
- type: string
- required:
- - name
- - value
- type: object
- type: array
- path:
- description: Path to access on the HTTP
- server.
- type: string
- port:
- anyOf:
- - type: integer
- - type: string
- description: Name or number of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
- x-kubernetes-int-or-string: true
- scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
- type: string
- required:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with
+ matching the corresponding nodeSelectorTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node
+ selector terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key
+ that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling
+ rules (e.g. co-locate this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same
+ node, zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added
+ per-node to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity
+ term, associated with the corresponding
+ weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ description: |-
+ Annotations are the annotations that should be appended to the pods.
+ By default, no pod annotations are appended.
+ type: object
+ imagePullSecrets:
+ description: |-
+ ImagePullSecrets is an optional list of references to secrets
+ in the same namespace to use for pulling any of the images used by this PodSpec.
+ If specified, these secrets will be passed to individual puller implementations for them to use.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
+ items:
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels are the additional labels that should be tagged to the pods.
+ By default, no additional pod labels are tagged.
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+ type: object
+ securityContext:
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
+ properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ sysctls:
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
+ items:
+ description: Sysctl defines a kernel parameter
+ to be set
+ properties:
+ name:
+ description: Name of a property to set
+ type: string
+ value:
+ description: Value of a property to set
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ tolerations:
+ description: If specified, the pod's tolerations.
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
+ items:
+ description: TopologySpreadConstraint specifies
+ how to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumes:
+ description: |-
+ Volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
+ items:
+ description: Volume represents a named volume in
+ a pod that may be accessed by any container in
+ the pod.
+ properties:
+ awsElasticBlockStore:
+ description: |-
+ awsElasticBlockStore represents an AWS Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly value true will force the readOnly setting in VolumeMounts.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: boolean
+ volumeID:
+ description: |-
+ volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ description: azureDisk represents an Azure Data
+ Disk mount on the host and bind mount to the
+ pod.
+ properties:
+ cachingMode:
+ description: 'cachingMode is the Host Caching
+ mode: None, Read Only, Read Write.'
+ type: string
+ diskName:
+ description: diskName is the Name of the
+ data disk in the blob storage
+ type: string
+ diskURI:
+ description: diskURI is the URI of data
+ disk in the blob storage
+ type: string
+ fsType:
+ default: ext4
+ description: |-
+ fsType is Filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ kind:
+ description: 'kind expected values are Shared:
+ multiple blob disks per storage account Dedicated:
+ single blob disk per storage account Managed:
+ azure managed data disk (only in managed
+ availability set). defaults to shared'
+ type: string
+ readOnly:
+ default: false
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ description: azureFile represents an Azure File
+ Service mount on the host and bind mount to
+ the pod.
+ properties:
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretName:
+ description: secretName is the name of
+ secret that contains Azure Storage Account
+ Name and Key
+ type: string
+ shareName:
+ description: shareName is the azure share
+ Name
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ description: cephFS represents a Ceph FS mount
+ on the host that shares a pod's lifetime
+ properties:
+ monitors:
+ description: |-
+ monitors is Required: Monitors is a collection of Ceph monitors
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: 'path is Optional: Used as
+ the mounted root, rather than the full
+ Ceph tree, default is /'
+ type: string
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: boolean
+ secretFile:
+ description: |-
+ secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ secretRef:
+ description: |-
+ secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ description: |-
+ user is optional: User is the rados user name, default is admin
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ description: |-
+ cinder represents a cinder volume attached and mounted on kubelets host machine.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is optional: points to a secret object containing parameters used to connect
+ to OpenStack.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ description: |-
+ volumeID used to identify the volume in cinder.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ description: configMap represents a configMap
+ that should populate this volume
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional specify whether the
+ ConfigMap or its keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ description: csi (Container Storage Interface)
+ represents ephemeral storage that is handled
+ by certain external CSI drivers (Beta feature).
+ properties:
+ driver:
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
+ type: string
+ fsType:
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
+ type: string
+ nodePublishSecretRef:
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ description: downwardAPI represents downward
+ API about the pod that should populate this
+ volume
+ properties:
+ defaultMode:
+ description: |-
+ Optional: mode bits to use on created files by default. Must be a
+ Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: Items is a list of downward
+ API volume file
+ items:
+ description: DownwardAPIVolumeFile represents
+ information to create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required: Selects a
+ field of the pod: only annotations,
+ labels, name, namespace and uid
+ are supported.'
+ properties:
+ apiVersion:
+ description: Version of the schema
+ the FieldPath is written in
+ terms of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field
+ to select in the specified API
+ version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required: Path is the
+ relative path name of the file to
+ be created. Must not be absolute
+ or contain the ''..'' path. Must
+ be utf-8 encoded. The first item
+ of the relative path must not start
+ with ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name:
+ required for volumes, optional
+ for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output
+ format of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource
+ to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ description: |-
+ emptyDir represents a temporary directory that shares a pod's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ properties:
+ medium:
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ description: |-
+ ephemeral represents a volume that is handled by a cluster storage driver.
+ The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+ and deleted when the pod is removed.
+
+ Use this if:
+ a) the volume is only needed while the pod runs,
+ b) features of normal volumes like restoring from snapshot or capacity
+ tracking are needed,
+ c) the storage driver is specified through a storage class, and
+ d) the storage driver supports dynamic volume provisioning through
+ a PersistentVolumeClaim (see EphemeralVolumeSource for more
+ information on the connection between this volume type
+ and PersistentVolumeClaim).
+
+ Use PersistentVolumeClaim or one of the vendor-specific
+ APIs for volumes that persist for longer than the lifecycle
+ of an individual pod.
+
+ Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+ be used that way - see the documentation of the driver for
+ more information.
+
+ A pod can use both types of ephemeral volumes and
+ persistent volumes at the same time.
+ properties:
+ volumeClaimTemplate:
+ description: |-
+ Will be used to create a stand-alone PVC to provision the volume.
+ The pod in which this EphemeralVolumeSource is embedded will be the
+ owner of the PVC, i.e. the PVC will be deleted together with the
+ pod. The name of the PVC will be `-` where
+ `` is the name from the `PodSpec.Volumes` array
+ entry. Pod validation will reject the pod if the concatenated name
+ is not valid for a PVC (for example, too long).
+
+ An existing PVC with that name that is not owned by the pod
+ will *not* be used for the pod to avoid using an unrelated
+ volume by mistake. Starting the pod is then blocked until
+ the unrelated PVC is removed. If such a pre-created PVC is
+ meant to be used by the pod, the PVC has to updated with an
+ owner reference to the pod once the pod exists. Normally
+ this should not be necessary, but it may be useful when
+ manually reconstructing a broken cluster.
+
+ This field is read-only and no changes will be made by Kubernetes
+ to the PVC after it has been created.
+
+ Required, must not be nil.
+ properties:
+ metadata:
+ description: |-
+ May contain labels and annotations that will be copied into the PVC
+ when creating it. No other fields are allowed and will be rejected during
+ validation.
+ type: object
+ spec:
+ description: |-
+ The specification for the PersistentVolumeClaim. The entire content is
+ copied unchanged into the PVC that gets created from this
+ template. The same fields as in a PersistentVolumeClaim
+ are also valid here.
+ properties:
+ accessModes:
+ description: |-
+ accessModes contains the desired access modes the volume should have.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ description: |-
+ dataSource field can be used to specify either:
+ * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
+ * An existing PVC (PersistentVolumeClaim)
+ If the provisioner or an external controller can support the specified data source,
+ it will create a new volume based on the contents of the specified data source.
+ When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+ and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+ If the namespace is specified, then dataSourceRef will not be copied to dataSource.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type
+ of resource being referenced
+ type: string
+ name:
+ description: Name is the name
+ of resource being referenced
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ description: |-
+ dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+ volume is desired. This may be any object from a non-empty API group (non
+ core object) or a PersistentVolumeClaim object.
+ When this field is specified, volume binding will only succeed if the type of
+ the specified object matches some installed volume populator or dynamic
+ provisioner.
+ This field will replace the functionality of the dataSource field and as such
+ if both fields are non-empty, they must have the same value. For backwards
+ compatibility, when namespace isn't specified in dataSourceRef,
+ both fields (dataSource and dataSourceRef) will be set to the same
+ value automatically if one of them is empty and the other is non-empty.
+ When namespace is specified in dataSourceRef,
+ dataSource isn't set to the same value and must be empty.
+ There are three important differences between dataSource and dataSourceRef:
+ * While dataSource only allows two specific types of objects, dataSourceRef
+ allows any non-core object, as well as PersistentVolumeClaim objects.
+ * While dataSource ignores disallowed values (dropping them), dataSourceRef
+ preserves all values, and generates an error if a disallowed value is
+ specified.
+ * While dataSource only allows local objects, dataSourceRef allows objects
+ in any namespaces.
+ (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+ (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ properties:
+ apiGroup:
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
+ type: string
+ kind:
+ description: Kind is the type
+ of resource being referenced
+ type: string
+ name:
+ description: Name is the name
+ of resource being referenced
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of resource being referenced
+ Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+ (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ description: |-
+ resources represents the minimum resources the volume should have.
+ If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+ that are lower than previous value but must still be higher than capacity recorded in the
+ status field of the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ selector:
+ description: selector is a label
+ query over volumes to consider
+ for binding.
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the
+ label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ description: |-
+ storageClassName is the name of the StorageClass required by the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
+ type: string
+ volumeAttributesClassName:
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
+ type: string
+ volumeMode:
+ description: |-
+ volumeMode defines what type of volume is required by the claim.
+ Value of Filesystem is implied when not included in claim spec.
+ type: string
+ volumeName:
+ description: volumeName is the binding
+ reference to the PersistentVolume
+ backing this claim.
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ description: fc represents a Fibre Channel resource
+ that is attached to a kubelet's host machine
+ and then exposed to the pod.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ lun:
+ description: 'lun is Optional: FC target
+ lun number'
+ format: int32
+ type: integer
+ readOnly:
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ targetWWNs:
+ description: 'targetWWNs is Optional: FC
+ target worldwide names (WWNs)'
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ description: |-
+ wwids Optional: FC volume world wide identifiers (wwids)
+ Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ description: |-
+ flexVolume represents a generic volume resource that is
+ provisioned/attached using an exec based plugin.
+ properties:
+ driver:
+ description: driver is the name of the driver
+ to use for this volume.
+ type: string
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ description: 'options is Optional: this
+ field holds extra command options if any.'
+ type: object
+ readOnly:
+ description: |-
+ readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is Optional: secretRef is reference to the secret object containing
+ sensitive information to pass to the plugin scripts. This may be
+ empty if no secret object is specified. If the secret object
+ contains more than one secret, all secrets are passed to the plugin
+ scripts.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ description: flocker represents a Flocker volume
+ attached to a kubelet's host machine. This
+ depends on the Flocker control service being
+ running
+ properties:
+ datasetName:
+ description: |-
+ datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+ should be considered as deprecated
+ type: string
+ datasetUUID:
+ description: datasetUUID is the UUID of
+ the dataset. This is unique identifier
+ of a Flocker dataset
+ type: string
+ type: object
+ gcePersistentDisk:
+ description: |-
+ gcePersistentDisk represents a GCE Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ partition:
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ format: int32
+ type: integer
+ pdName:
+ description: |-
+ pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ description: |-
+ gitRepo represents a git repository at a particular revision.
+ DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+ into the Pod's container.
+ properties:
+ directory:
+ description: |-
+ directory is the target directory name.
+ Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
+ git repository. Otherwise, if specified, the volume will contain the git repository in
+ the subdirectory with the given name.
+ type: string
+ repository:
+ description: repository is the URL
+ type: string
+ revision:
+ description: revision is the commit hash
+ for the specified revision.
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ description: |-
+ glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md
+ properties:
+ endpoints:
+ description: |-
+ endpoints is the endpoint name that details Glusterfs topology.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: string
+ path:
+ description: |-
+ path is the Glusterfs volume path.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ description: |-
+ hostPath represents a pre-existing file or directory on the host
+ machine that is directly exposed to the container. This is generally
+ used for system agents or other privileged things that are allowed
+ to see the host machine. Most containers will NOT need this.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ properties:
+ path:
+ description: |-
+ path of the directory on the host.
+ If the path is a symlink, it will follow the link to the real path.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ type:
+ description: |-
+ type for HostPath Volume
+ Defaults to ""
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
+ type: string
+ required:
+ - path
+ type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
+ iscsi:
+ description: |-
+ iscsi represents an ISCSI Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://examples.k8s.io/volumes/iscsi/README.md
+ properties:
+ chapAuthDiscovery:
+ description: chapAuthDiscovery defines whether
+ support iSCSI Discovery CHAP authentication
+ type: boolean
+ chapAuthSession:
+ description: chapAuthSession defines whether
+ support iSCSI Session CHAP authentication
+ type: boolean
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
+ type: string
+ initiatorName:
+ description: |-
+ initiatorName is the custom iSCSI Initiator Name.
+ If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+ : will be created for the connection.
+ type: string
+ iqn:
+ description: iqn is the target iSCSI Qualified
+ Name.
+ type: string
+ iscsiInterface:
+ default: default
+ description: |-
+ iscsiInterface is the interface Name that uses an iSCSI transport.
+ Defaults to 'default' (tcp).
+ type: string
+ lun:
+ description: lun represents iSCSI Target
+ Lun number.
+ format: int32
+ type: integer
+ portals:
+ description: |-
+ portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ type: boolean
+ secretRef:
+ description: secretRef is the CHAP Secret
+ for iSCSI target and initiator authentication
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ description: |-
+ targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ description: |-
+ name of the volume.
+ Must be a DNS_LABEL and unique within the pod.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ nfs:
+ description: |-
+ nfs represents an NFS mount on the host that shares a pod's lifetime
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ properties:
+ path:
+ description: |-
+ path that is exported by the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the NFS export to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: boolean
+ server:
+ description: |-
+ server is the hostname or IP address of the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ description: |-
+ persistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ properties:
+ claimName:
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
+ type: string
+ readOnly:
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ description: photonPersistentDisk represents
+ a PhotonController persistent disk attached
+ and mounted on kubelets host machine
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ pdID:
+ description: pdID is the ID that identifies
+ Photon Controller persistent disk
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ description: portworxVolume represents a portworx
+ volume attached and mounted on kubelets host
+ machine
+ properties:
+ fsType:
+ description: |-
+ fSType represents the filesystem type to mount
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ volumeID:
+ description: volumeID uniquely identifies
+ a Portworx volume
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ description: projected items for all in one
+ resources secrets, configmaps, and downward
+ API
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ sources:
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
+ items:
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
+ properties:
+ clusterTrustBundle:
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
+ properties:
+ labelSelector:
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
+ everything".
+ properties:
+ matchExpressions:
+ description: matchExpressions
+ is a list of label selector
+ requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is
+ the label key that
+ the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
+ with signerName and labelSelector.
+ type: string
+ optional:
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
+ type: boolean
+ path:
+ description: Relative path from
+ the volume root to write the
+ bundle.
+ type: string
+ signerName:
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ description: configMap information
+ about the configMap data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key
+ to a path within a volume.
+ properties:
+ key:
+ description: key is the
+ key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional specify
+ whether the ConfigMap or its
+ keys must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ description: downwardAPI information
+ about the downwardAPI data to project
+ properties:
+ items:
+ description: Items is a list of
+ DownwardAPIVolume file
+ items:
+ description: DownwardAPIVolumeFile
+ represents information to
+ create the file containing
+ the pod field
+ properties:
+ fieldRef:
+ description: 'Required:
+ Selects a field of the
+ pod: only annotations,
+ labels, name, namespace
+ and uid are supported.'
+ properties:
+ apiVersion:
+ description: Version
+ of the schema the
+ FieldPath is written
+ in terms of, defaults
+ to "v1".
+ type: string
+ fieldPath:
+ description: Path of
+ the field to select
+ in the specified API
+ version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: 'Required:
+ Path is the relative
+ path name of the file
+ to be created. Must not
+ be absolute or contain
+ the ''..'' path. Must
+ be utf-8 encoded. The
+ first item of the relative
+ path must not start with
+ ''..'''
+ type: string
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
+ properties:
+ containerName:
+ description: 'Container
+ name: required for
+ volumes, optional
+ for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies
+ the output format
+ of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required:
+ resource to select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ description: secret information about
+ the secret data to project
+ properties:
+ items:
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key
+ to a path within a volume.
+ properties:
+ key:
+ description: key is the
+ key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: optional field specify
+ whether the Secret or its key
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ description: serviceAccountToken is
+ information about the serviceAccountToken
+ data to project
+ properties:
+ audience:
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
+ type: string
+ expirationSeconds:
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
+ format: int64
+ type: integer
+ path:
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ description: quobyte represents a Quobyte mount
+ on the host that shares a pod's lifetime
+ properties:
+ group:
+ description: |-
+ group to map volume access to
+ Default is no group
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+ Defaults to false.
+ type: boolean
+ registry:
+ description: |-
+ registry represents a single or multiple Quobyte Registry services
+ specified as a string as host:port pair (multiple entries are separated with commas)
+ which acts as the central registry for volumes
+ type: string
+ tenant:
+ description: |-
+ tenant owning the given Quobyte volume in the Backend
+ Used with dynamically provisioned Quobyte volumes, value is set by the plugin
+ type: string
+ user:
+ description: |-
+ user to map volume access to
+ Defaults to serivceaccount user
+ type: string
+ volume:
+ description: volume is a string that references
+ an already created Quobyte volume by name.
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ description: |-
+ rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/rbd/README.md
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
+ type: string
+ image:
+ description: |-
+ image is the rados image name.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ keyring:
+ default: /etc/ceph/keyring
+ description: |-
+ keyring is the path to key ring for RBDUser.
+ Default is /etc/ceph/keyring.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ monitors:
+ description: |-
+ monitors is a collection of Ceph monitors.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ default: rbd
+ description: |-
+ pool is the rados pool name.
+ Default is rbd.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ readOnly:
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef is name of the authentication secret for RBDUser. If provided
+ overrides keyring.
+ Default is nil.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ default: admin
+ description: |-
+ user is the rados user name.
+ Default is admin.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ description: scaleIO represents a ScaleIO persistent
+ volume attached and mounted on Kubernetes
+ nodes.
+ properties:
+ fsType:
+ default: xfs
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs".
+ Default is "xfs".
+ type: string
+ gateway:
+ description: gateway is the host address
+ of the ScaleIO API Gateway.
+ type: string
+ protectionDomain:
+ description: protectionDomain is the name
+ of the ScaleIO Protection Domain for the
+ configured storage.
+ type: string
+ readOnly:
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef references to the secret for ScaleIO user and other
+ sensitive information. If this is not provided, Login operation will fail.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ description: sslEnabled Flag enable/disable
+ SSL communication with Gateway, default
+ false
+ type: boolean
+ storageMode:
+ default: ThinProvisioned
+ description: |-
+ storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+ Default is ThinProvisioned.
+ type: string
+ storagePool:
+ description: storagePool is the ScaleIO
+ Storage Pool associated with the protection
+ domain.
+ type: string
+ system:
+ description: system is the name of the storage
+ system as configured in ScaleIO.
+ type: string
+ volumeName:
+ description: |-
+ volumeName is the name of a volume already created in the ScaleIO system
+ that is associated with this volume source.
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ description: |-
+ secret represents a secret that should populate this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ properties:
+ defaultMode:
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ items:
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
+ items:
+ description: Maps a string key to a path
+ within a volume.
+ properties:
+ key:
+ description: key is the key to project.
+ type: string
+ mode:
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
+ format: int32
+ type: integer
+ path:
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ description: optional field specify whether
+ the Secret or its keys must be defined
+ type: boolean
+ secretName:
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
+ type: string
+ type: object
+ storageos:
+ description: storageOS represents a StorageOS
+ volume attached and mounted on Kubernetes
+ nodes.
+ properties:
+ fsType:
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ readOnly:
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ type: boolean
+ secretRef:
+ description: |-
+ secretRef specifies the secret to use for obtaining the StorageOS API
+ credentials. If not specified, default values will be attempted.
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ description: |-
+ volumeName is the human-readable name of the StorageOS volume. Volume
+ names are only unique within a namespace.
+ type: string
+ volumeNamespace:
+ description: |-
+ volumeNamespace specifies the scope of the volume within StorageOS. If no
+ namespace is specified then the Pod's namespace will be used. This allows the
+ Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+ Set VolumeName to any name to override the default behaviour.
+ Set to "default" if you are not using namespaces within StorageOS.
+ Namespaces that do not pre-exist within StorageOS will be created.
+ type: string
+ type: object
+ vsphereVolume:
+ description: vsphereVolume represents a vSphere
+ volume attached and mounted on kubelets host
+ machine
+ properties:
+ fsType:
+ description: |-
+ fsType is filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ type: string
+ storagePolicyID:
+ description: storagePolicyID is the storage
+ Policy Based Management (SPBM) profile
+ ID associated with the StoragePolicyName.
+ type: string
+ storagePolicyName:
+ description: storagePolicyName is the storage
+ Policy Based Management (SPBM) profile
+ name.
+ type: string
+ volumePath:
+ description: volumePath is the path that
+ identifies vSphere volume vmdk
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ strategy:
+ description: The daemonset strategy to use to replace
+ existing pods with new ones.
+ properties:
+ rollingUpdate:
+ description: Rolling update config params. Present
+ only if type = "RollingUpdate".
+ properties:
+ maxSurge:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of nodes with an existing available DaemonSet pod that
+ can have an updated DaemonSet pod during during an update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up to a minimum of 1.
+ Default value is 0.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their a new pod created before the old pod is marked as deleted.
+ The update starts by launching new pods on 30% of nodes. Once an updated
+ pod is available (Ready for at least minReadySeconds) the old DaemonSet pod
+ on that node is marked deleted. If the old pod becomes unavailable for any
+ reason (Ready transitions to false, is evicted, or is drained) an updated
+ pod is immediatedly created on that node without considering surge limits.
+ Allowing surge implies the possibility that the resources consumed by the
+ daemonset on any given node can double if the readiness check fails, and
+ so resource intensive daemonsets should take into account that they may
+ cause evictions during disruption.
+ x-kubernetes-int-or-string: true
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ The maximum number of DaemonSet pods that can be unavailable during the
+ update. Value can be an absolute number (ex: 5) or a percentage of total
+ number of DaemonSet pods at the start of the update (ex: 10%). Absolute
+ number is calculated from percentage by rounding up.
+ This cannot be 0 if MaxSurge is 0
+ Default value is 1.
+ Example: when this is set to 30%, at most 30% of the total number of nodes
+ that should be running the daemon pod (i.e. status.desiredNumberScheduled)
+ can have their pods stopped for an update at any given time. The update
+ starts by stopping at most 30% of those DaemonSet pods and then brings
+ up new DaemonSet pods in their place. Once the new pods are available,
+ it then proceeds onto other DaemonSet pods, thus ensuring that at least
+ 70% of original number of DaemonSet pods are available at all times during
+ the update.
+ x-kubernetes-int-or-string: true
+ type: object
+ type:
+ description: Type of daemon set update. Can be "RollingUpdate"
+ or "OnDelete". Default is RollingUpdate.
+ type: string
+ type: object
+ type: object
+ envoyDeployment:
+ description: |-
+ EnvoyDeployment defines the desired state of the Envoy deployment resource.
+ If unspecified, default settings for the managed Envoy deployment resource
+ are applied.
+ properties:
+ container:
+ description: Container defines the desired specification
+ of main container.
+ properties:
+ env:
+ description: List of environment variables to set
+ in the container.
+ items:
+ description: EnvVar represents an environment variable
+ present in a Container.
+ properties:
+ name:
+ description: Name of the environment variable.
+ Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's
+ value. Cannot be used if value is not empty.
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ properties:
+ apiVersion:
+ description: Version of the schema the
+ FieldPath is written in terms of,
+ defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to select
+ in the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required
+ for volumes, optional for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output format
+ of the exposed resources, defaults
+ to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to
+ select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret in
+ the pod's namespace
+ properties:
+ key:
+ description: The key of the secret to
+ select from. Must be a valid secret
+ key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ image:
+ description: Image specifies the EnvoyProxy container
+ image to be used, instead of the default image.
+ type: string
+ resources:
+ description: |-
+ Resources required by this container.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ properties:
+ claims:
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
+ items:
+ description: ResourceClaim references one entry
+ in PodSpec.ResourceClaims.
+ properties:
+ name:
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ type: object
+ type: object
+ securityContext:
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ properties:
+ allowPrivilegeEscalation:
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ add:
+ description: Added capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ description: Removed capabilities
+ items:
+ description: Capability represent POSIX
+ capabilities type
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ procMount:
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
+ readOnlyRootFilesystem:
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: boolean
+ runAsGroup:
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ runAsNonRoot:
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: boolean
+ runAsUser:
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ format: int64
+ type: integer
+ seLinuxOptions:
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ level:
+ description: Level is SELinux level label
+ that applies to the container.
+ type: string
+ role:
+ description: Role is a SELinux role label
+ that applies to the container.
+ type: string
+ type:
+ description: Type is a SELinux type label
+ that applies to the container.
+ type: string
+ user:
+ description: User is a SELinux user label
+ that applies to the container.
+ type: string
+ type: object
+ seccompProfile:
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
+ type: string
+ type:
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
+ properties:
+ gmsaCredentialSpec:
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
+ type: string
+ gmsaCredentialSpecName:
+ description: GMSACredentialSpecName is the
+ name of the GMSA credential spec to use.
+ type: string
+ hostProcess:
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
+ type: boolean
+ runAsUserName:
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ type: string
+ type: object
+ type: object
+ volumeMounts:
+ description: |-
+ VolumeMounts are volumes to mount into the container's filesystem.
+ Cannot be updated.
+ items:
+ description: VolumeMount describes a mounting of
+ a Volume within a container.
+ properties:
+ mountPath:
+ description: |-
+ Path within the container at which the volume should be mounted. Must
+ not contain ':'.
+ type: string
+ mountPropagation:
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
+ type: string
+ name:
+ description: This must match the Name of a Volume.
+ type: string
+ readOnly:
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
+ type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
+ subPath:
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
+ Defaults to "" (volume's root).
+ type: string
+ subPathExpr:
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ type: object
+ initContainers:
+ description: |-
+ List of initialization containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
+ items:
+ description: A single application container that you
+ want to run within a pod.
+ properties:
+ args:
+ description: |-
+ Arguments to the entrypoint.
+ The container image's CMD is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ description: |-
+ Entrypoint array. Not executed within a shell.
+ The container image's ENTRYPOINT is used if this is not provided.
+ Variable references $(VAR_NAME) are expanded using the container's environment. If a variable
+ cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
+ produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless
+ of whether the variable exists or not. Cannot be updated.
+ More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ description: |-
+ List of environment variables to set in the container.
+ Cannot be updated.
+ items:
+ description: EnvVar represents an environment
+ variable present in a Container.
+ properties:
+ name:
+ description: Name of the environment variable.
+ Must be a C_IDENTIFIER.
+ type: string
+ value:
+ description: |-
+ Variable references $(VAR_NAME) are expanded
+ using the previously defined environment variables in the container and
+ any service environment variables. If a variable cannot be resolved,
+ the reference in the input string will be unchanged. Double $$ are reduced
+ to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e.
+ "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)".
+ Escaped references will never be expanded, regardless of whether the variable
+ exists or not.
+ Defaults to "".
+ type: string
+ valueFrom:
+ description: Source for the environment variable's
+ value. Cannot be used if value is not empty.
+ properties:
+ configMapKeyRef:
+ description: Selects a key of a ConfigMap.
+ properties:
+ key:
+ description: The key to select.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ description: |-
+ Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`,
+ spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs.
+ properties:
+ apiVersion:
+ description: Version of the schema
+ the FieldPath is written in terms
+ of, defaults to "v1".
+ type: string
+ fieldPath:
+ description: Path of the field to
+ select in the specified API version.
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
+ properties:
+ containerName:
+ description: 'Container name: required
+ for volumes, optional for env vars'
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Specifies the output
+ format of the exposed resources,
+ defaults to "1"
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ description: 'Required: resource to
+ select'
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ description: Selects a key of a secret
+ in the pod's namespace
+ properties:
+ key:
+ description: The key of the secret
+ to select from. Must be a valid
+ secret key.
+ type: string
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ or its key must be defined
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ description: |-
+ List of sources to populate environment variables in the container.
+ The keys defined within a source must be a C_IDENTIFIER. All invalid keys
+ will be reported as an event when the container is starting. When a key exists in multiple
+ sources, the value associated with the last source will take precedence.
+ Values defined by an Env with a duplicate key will take precedence.
+ Cannot be updated.
+ items:
+ description: EnvFromSource represents the source
+ of a set of ConfigMaps
+ properties:
+ configMapRef:
+ description: The ConfigMap to select from
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the ConfigMap
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ description: An optional identifier to prepend
+ to each key in the ConfigMap. Must be a
+ C_IDENTIFIER.
+ type: string
+ secretRef:
+ description: The Secret to select from
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ optional:
+ description: Specify whether the Secret
+ must be defined
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ description: |-
+ Container image name.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ imagePullPolicy:
+ description: |-
+ Image pull policy.
+ One of Always, Never, IfNotPresent.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
+ type: string
+ lifecycle:
+ description: |-
+ Actions that the management system should take in response to container lifecycle events.
+ Cannot be updated.
+ properties:
+ postStart:
+ description: |-
+ PostStart is called immediately after a container is created. If the handler fails,
+ the container is terminated and restarted according to its restart policy.
+ Other management of the container blocks until the hook completes.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
+ properties:
+ exec:
+ description: Exec specifies the action to
+ take.
+ properties:
+ command:
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ description: HTTPGet specifies the http
+ request to perform.
+ properties:
+ host:
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
+ type: string
+ httpHeaders:
+ description: Custom headers to set in
+ the request. HTTP allows repeated
+ headers.
+ items:
+ description: HTTPHeader describes
+ a custom header to be used in HTTP
+ probes
+ properties:
+ name:
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
+ type: string
+ value:
+ description: The header field
+ value
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ description: Path to access on the HTTP
+ server.
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
+ x-kubernetes-int-or-string: true
+ scheme:
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
+ type: string
+ required:
- port
type: object
sleep:
@@ -883,12 +5029,10 @@ spec:
- seconds
type: object
tcpSocket:
- description: Deprecated. TCPSocket is NOT
- supported as a LifecycleHandler and kept
- for the backward compatibility. There
- are no validation of this field and lifecycle
- hooks will fail in runtime when tcp handler
- is specified.
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
properties:
host:
description: 'Optional: Host name to
@@ -898,60 +5042,51 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
type: object
preStop:
- description: 'PreStop is called immediately
- before a container is terminated due to an
- API request or management event such as liveness/startup
- probe failure, preemption, resource contention,
- etc. The handler is not called if the container
- crashes or exits. The Pod''s termination grace
- period countdown begins before the PreStop
- hook is executed. Regardless of the outcome
- of the handler, the container will eventually
- terminate within the Pod''s termination grace
- period (unless delayed by finalizers). Other
- management of the container blocks until the
- hook completes or until the termination grace
- period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks'
+ description: |-
+ PreStop is called immediately before a container is terminated due to an
+ API request or management event such as liveness/startup probe failure,
+ preemption, resource contention, etc. The handler is not called if the
+ container crashes or exits. The Pod's termination grace period countdown begins before the
+ PreStop hook is executed. Regardless of the outcome of the handler, the
+ container will eventually terminate within the Pod's termination grace
+ period (unless delayed by finalizers). Other management of the container blocks until the hook completes
+ or until the termination grace period is reached.
+ More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks
properties:
exec:
description: Exec specifies the action to
take.
properties:
command:
- description: Command is the command
- line to execute inside the container,
- the working directory for the command is
- root ('/') in the container's filesystem.
- The command is simply exec'd, it is
- not run inside a shell, so traditional
- shell instructions ('|', etc) won't
- work. To use a shell, you need to
- explicitly call out to that shell.
- Exit status of 0 is treated as live/healthy
- and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
httpGet:
description: HTTPGet specifies the http
request to perform.
properties:
host:
- description: Host name to connect to,
- defaults to the pod IP. You probably
- want to set "Host" in httpHeaders
- instead.
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
+ "Host" in httpHeaders instead.
type: string
httpHeaders:
description: Custom headers to set in
@@ -963,11 +5098,9 @@ spec:
probes
properties:
name:
- description: The header field
- name. This will be canonicalized
- upon output, so case-variant
- names will be understood as
- the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field
@@ -978,6 +5111,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP
server.
@@ -986,14 +5120,15 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
@@ -1012,12 +5147,10 @@ spec:
- seconds
type: object
tcpSocket:
- description: Deprecated. TCPSocket is NOT
- supported as a LifecycleHandler and kept
- for the backward compatibility. There
- are no validation of this field and lifecycle
- hooks will fail in runtime when tcp handler
- is specified.
+ description: |-
+ Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept
+ for the backward compatibility. There are no validation of this field and
+ lifecycle hooks will fail in runtime when tcp handler is specified.
properties:
host:
description: 'Optional: Host name to
@@ -1027,10 +5160,10 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number
- must be in the range 1 to 65535. Name
- must be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
@@ -1038,33 +5171,31 @@ spec:
type: object
type: object
livenessProbe:
- description: 'Periodic probe of container liveness.
+ description: |-
+ Periodic probe of container liveness.
Container will be restarted if the probe fails.
- Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
description: Exec specifies the action to take.
properties:
command:
- description: Command is the command line
- to execute inside the container, the working
- directory for the command is root ('/')
- in the container's filesystem. The command
- is simply exec'd, it is not run inside
- a shell, so traditional shell instructions
- ('|', etc) won't work. To use a shell,
- you need to explicitly call out to that
- shell. Exit status of 0 is treated as
- live/healthy and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
- description: Minimum consecutive failures for
- the probe to be considered failed after having
- succeeded. Defaults to 3. Minimum value is
- 1.
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
format: int32
type: integer
grpc:
@@ -1077,11 +5208,12 @@ spec:
format: int32
type: integer
service:
- description: "Service is the name of the
- service to place in the gRPC HealthCheckRequest
+ default: ""
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
- \n If this is not specified, the default
- behavior is defined by gRPC."
+
+ If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
@@ -1091,8 +5223,8 @@ spec:
to perform.
properties:
host:
- description: Host name to connect to, defaults
- to the pod IP. You probably want to set
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
"Host" in httpHeaders instead.
type: string
httpHeaders:
@@ -1103,10 +5235,9 @@ spec:
header to be used in HTTP probes
properties:
name:
- description: The header field name.
- This will be canonicalized upon
- output, so case-variant names will
- be understood as the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field value
@@ -1116,6 +5247,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP
server.
@@ -1124,35 +5256,35 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
- description: 'Number of seconds after the container
- has started before liveness probes are initiated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
periodSeconds:
- description: How often (in seconds) to perform
- the probe. Default to 10 seconds. Minimum
- value is 1.
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
- description: Minimum consecutive successes for
- the probe to be considered successful after
- having failed. Defaults to 1. Must be 1 for
- liveness and startup. Minimum value is 1.
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
@@ -1167,63 +5299,59 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
terminationGracePeriodSeconds:
- description: Optional duration in seconds the
- pod needs to terminate gracefully upon probe
- failure. The grace period is the duration
- in seconds after the processes running in
- the pod are sent a termination signal and
- the time when the processes are forcibly halted
- with a kill signal. Set this value longer
- than the expected cleanup time for your process.
- If this value is nil, the pod's terminationGracePeriodSeconds
- will be used. Otherwise, this value overrides
- the value provided by the pod spec. Value
- must be non-negative integer. The value zero
- indicates stop immediately via the kill signal
- (no opportunity to shut down). This is a beta
- field and requires enabling ProbeTerminationGracePeriod
- feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
- is used if unset.
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
format: int64
type: integer
timeoutSeconds:
- description: 'Number of seconds after which
- the probe times out. Defaults to 1 second.
- Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
type: object
name:
- description: Name of the container specified as
- a DNS_LABEL. Each container in a pod must have
- a unique name (DNS_LABEL). Cannot be updated.
+ description: |-
+ Name of the container specified as a DNS_LABEL.
+ Each container in a pod must have a unique name (DNS_LABEL).
+ Cannot be updated.
type: string
ports:
- description: List of ports to expose from the container.
- Not specifying a port here DOES NOT prevent that
- port from being exposed. Any port which is listening
- on the default "0.0.0.0" address inside a container
- will be accessible from the network. Modifying
- this array with strategic merge patch may corrupt
- the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255.
+ description: |-
+ List of ports to expose from the container. Not specifying a port here
+ DOES NOT prevent that port from being exposed. Any port which is
+ listening on the default "0.0.0.0" address inside a container will be
+ accessible from the network.
+ Modifying this array with strategic merge patch may corrupt the data.
+ For more information See https://github.com/kubernetes/kubernetes/issues/108255.
Cannot be updated.
items:
description: ContainerPort represents a network
port in a single container.
properties:
containerPort:
- description: Number of port to expose on the
- pod's IP address. This must be a valid port
- number, 0 < x < 65536.
+ description: |-
+ Number of port to expose on the pod's IP address.
+ This must be a valid port number, 0 < x < 65536.
format: int32
type: integer
hostIP:
@@ -1231,24 +5359,24 @@ spec:
port to.
type: string
hostPort:
- description: Number of port to expose on the
- host. If specified, this must be a valid
- port number, 0 < x < 65536. If HostNetwork
- is specified, this must match ContainerPort.
+ description: |-
+ Number of port to expose on the host.
+ If specified, this must be a valid port number, 0 < x < 65536.
+ If HostNetwork is specified, this must match ContainerPort.
Most containers do not need this.
format: int32
type: integer
name:
- description: If specified, this must be an
- IANA_SVC_NAME and unique within the pod.
- Each named port in a pod must have a unique
- name. Name for the port that can be referred
- to by services.
+ description: |-
+ If specified, this must be an IANA_SVC_NAME and unique within the pod. Each
+ named port in a pod must have a unique name. Name for the port that can be
+ referred to by services.
type: string
protocol:
default: TCP
- description: Protocol for port. Must be UDP,
- TCP, or SCTP. Defaults to "TCP".
+ description: |-
+ Protocol for port. Must be UDP, TCP, or SCTP.
+ Defaults to "TCP".
type: string
required:
- containerPort
@@ -1259,34 +5387,31 @@ spec:
- protocol
x-kubernetes-list-type: map
readinessProbe:
- description: 'Periodic probe of container service
- readiness. Container will be removed from service
- endpoints if the probe fails. Cannot be updated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Periodic probe of container service readiness.
+ Container will be removed from service endpoints if the probe fails.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
description: Exec specifies the action to take.
properties:
command:
- description: Command is the command line
- to execute inside the container, the working
- directory for the command is root ('/')
- in the container's filesystem. The command
- is simply exec'd, it is not run inside
- a shell, so traditional shell instructions
- ('|', etc) won't work. To use a shell,
- you need to explicitly call out to that
- shell. Exit status of 0 is treated as
- live/healthy and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
- description: Minimum consecutive failures for
- the probe to be considered failed after having
- succeeded. Defaults to 3. Minimum value is
- 1.
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
format: int32
type: integer
grpc:
@@ -1299,11 +5424,12 @@ spec:
format: int32
type: integer
service:
- description: "Service is the name of the
- service to place in the gRPC HealthCheckRequest
+ default: ""
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
- \n If this is not specified, the default
- behavior is defined by gRPC."
+
+ If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
@@ -1313,8 +5439,8 @@ spec:
to perform.
properties:
host:
- description: Host name to connect to, defaults
- to the pod IP. You probably want to set
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
"Host" in httpHeaders instead.
type: string
httpHeaders:
@@ -1325,10 +5451,9 @@ spec:
header to be used in HTTP probes
properties:
name:
- description: The header field name.
- This will be canonicalized upon
- output, so case-variant names will
- be understood as the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field value
@@ -1338,6 +5463,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP
server.
@@ -1346,35 +5472,35 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
- description: 'Number of seconds after the container
- has started before liveness probes are initiated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
periodSeconds:
- description: How often (in seconds) to perform
- the probe. Default to 10 seconds. Minimum
- value is 1.
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
- description: Minimum consecutive successes for
- the probe to be considered successful after
- having failed. Defaults to 1. Must be 1 for
- liveness and startup. Minimum value is 1.
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
@@ -1389,38 +5515,33 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
terminationGracePeriodSeconds:
- description: Optional duration in seconds the
- pod needs to terminate gracefully upon probe
- failure. The grace period is the duration
- in seconds after the processes running in
- the pod are sent a termination signal and
- the time when the processes are forcibly halted
- with a kill signal. Set this value longer
- than the expected cleanup time for your process.
- If this value is nil, the pod's terminationGracePeriodSeconds
- will be used. Otherwise, this value overrides
- the value provided by the pod spec. Value
- must be non-negative integer. The value zero
- indicates stop immediately via the kill signal
- (no opportunity to shut down). This is a beta
- field and requires enabling ProbeTerminationGracePeriod
- feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
- is used if unset.
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
format: int64
type: integer
timeoutSeconds:
- description: 'Number of seconds after which
- the probe times out. Defaults to 1 second.
- Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
type: object
@@ -1431,14 +5552,14 @@ spec:
resource resize policy for the container.
properties:
resourceName:
- description: 'Name of the resource to which
- this resource resize policy applies. Supported
- values: cpu, memory.'
+ description: |-
+ Name of the resource to which this resource resize policy applies.
+ Supported values: cpu, memory.
type: string
restartPolicy:
- description: Restart policy to apply when
- specified resource is resized. If not specified,
- it defaults to NotRequired.
+ description: |-
+ Restart policy to apply when specified resource is resized.
+ If not specified, it defaults to NotRequired.
type: string
required:
- resourceName
@@ -1447,26 +5568,35 @@ spec:
type: array
x-kubernetes-list-type: atomic
resources:
- description: 'Compute Resources required by this
- container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Compute Resources required by this container.
+ Cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
properties:
claims:
- description: "Claims lists the names of resources,
- defined in spec.resourceClaims, that are used
- by this container. \n This is an alpha field
- and requires enabling the DynamicResourceAllocation
- feature gate. \n This field is immutable.
- It can only be set for containers."
+ description: |-
+ Claims lists the names of resources, defined in spec.resourceClaims,
+ that are used by this container.
+
+ This is an alpha field and requires enabling the
+ DynamicResourceAllocation feature gate.
+
+ This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one
entry in PodSpec.ResourceClaims.
properties:
name:
- description: Name must match the name
- of one entry in pod.spec.resourceClaims
- of the Pod where this field is used.
- It makes that resource available inside
- a container.
+ description: |-
+ Name must match the name of one entry in pod.spec.resourceClaims of
+ the Pod where this field is used. It makes that resource available
+ inside a container.
+ type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
type: string
required:
- name
@@ -1482,8 +5612,9 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Limits describes the maximum amount
- of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
@@ -1492,61 +5623,76 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Requests describes the minimum
- amount of compute resources required. If Requests
- is omitted for a container, it defaults to
- Limits if that is explicitly specified, otherwise
- to an implementation-defined value. Requests
- cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
restartPolicy:
- description: 'RestartPolicy defines the restart
- behavior of individual containers in a pod. This
- field may only be set for init containers, and
- the only allowed value is "Always". For non-init
- containers or when this field is not specified,
- the restart behavior is defined by the Pod''s
- restart policy and the container type. Setting
- the RestartPolicy as "Always" for the init container
- will have the following effect: this init container
- will be continually restarted on exit until all
- regular containers have terminated. Once all regular
- containers have completed, all init containers
- with restartPolicy "Always" will be shut down.
- This lifecycle differs from normal init containers
- and is often referred to as a "sidecar" container.
- Although this init container still starts in the
- init container sequence, it does not wait for
- the container to complete before proceeding to
- the next init container. Instead, the next init
- container starts immediately after this init container
- is started, or after any startupProbe has successfully
- completed.'
+ description: |-
+ RestartPolicy defines the restart behavior of individual containers in a pod.
+ This field may only be set for init containers, and the only allowed value is "Always".
+ For non-init containers or when this field is not specified,
+ the restart behavior is defined by the Pod's restart policy and the container type.
+ Setting the RestartPolicy as "Always" for the init container will have the following effect:
+ this init container will be continually restarted on
+ exit until all regular containers have terminated. Once all regular
+ containers have completed, all init containers with restartPolicy "Always"
+ will be shut down. This lifecycle differs from normal init containers and
+ is often referred to as a "sidecar" container. Although this init
+ container still starts in the init container sequence, it does not wait
+ for the container to complete before proceeding to the next init
+ container. Instead, the next init container starts immediately after this
+ init container is started, or after any startupProbe has successfully
+ completed.
type: string
securityContext:
- description: 'SecurityContext defines the security
- options the container should be run with. If set,
- the fields of SecurityContext override the equivalent
- fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
+ description: |-
+ SecurityContext defines the security options the container should be run with.
+ If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
+ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
properties:
allowPrivilegeEscalation:
- description: 'AllowPrivilegeEscalation controls
- whether a process can gain more privileges
- than its parent process. This bool directly
- controls if the no_new_privs flag will be
- set on the container process. AllowPrivilegeEscalation
- is true always when the container is: 1) run
- as Privileged 2) has CAP_SYS_ADMIN Note that
- this field cannot be set when spec.os.name
- is windows.'
+ description: |-
+ AllowPrivilegeEscalation controls whether a process can gain more
+ privileges than its parent process. This bool directly controls if
+ the no_new_privs flag will be set on the container process.
+ AllowPrivilegeEscalation is true always when the container is:
+ 1) run as Privileged
+ 2) has CAP_SYS_ADMIN
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
+ overrides the pod's appArmorProfile.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
capabilities:
- description: The capabilities to add/drop when
- running containers. Defaults to the default
- set of capabilities granted by the container
- runtime. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The capabilities to add/drop when running containers.
+ Defaults to the default set of capabilities granted by the container runtime.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
add:
description: Added capabilities
@@ -1555,6 +5701,7 @@ spec:
capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
drop:
description: Removed capabilities
items:
@@ -1562,71 +5709,63 @@ spec:
capabilities type
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
privileged:
- description: Run container in privileged mode.
- Processes in privileged containers are essentially
- equivalent to root on the host. Defaults to
- false. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ Run container in privileged mode.
+ Processes in privileged containers are essentially equivalent to root on the host.
+ Defaults to false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
procMount:
- description: procMount denotes the type of proc
- mount to use for the containers. The default
- is DefaultProcMount which uses the container
- runtime defaults for readonly paths and masked
- paths. This requires the ProcMountType feature
- flag to be enabled. Note that this field cannot
- be set when spec.os.name is windows.
+ description: |-
+ procMount denotes the type of proc mount to use for the containers.
+ The default value is Default which uses the container runtime defaults for
+ readonly paths and masked paths.
+ This requires the ProcMountType feature flag to be enabled.
+ Note that this field cannot be set when spec.os.name is windows.
type: string
readOnlyRootFilesystem:
- description: Whether this container has a read-only
- root filesystem. Default is false. Note that
- this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ Whether this container has a read-only root filesystem.
+ Default is false.
+ Note that this field cannot be set when spec.os.name is windows.
type: boolean
runAsGroup:
- description: The GID to run the entrypoint of
- the container process. Uses runtime default
- if unset. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be
- set when spec.os.name is windows.
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
- description: Indicates that the container must
- run as a non-root user. If true, the Kubelet
- will validate the image at runtime to ensure
- that it does not run as UID 0 (root) and fail
- to start the container if it does. If unset
- or false, no such validation will be performed.
- May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence.
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
- description: The UID to run the entrypoint of
- the container process. Defaults to user specified
- in image metadata if unspecified. May also
- be set in PodSecurityContext. If set in both
- SecurityContext and PodSecurityContext, the
- value specified in SecurityContext takes precedence.
- Note that this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
- description: The SELinux context to be applied
- to the container. If unspecified, the container
- runtime will allocate a random SELinux context
- for each container. May also be set in PodSecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be
- set when spec.os.name is windows.
+ description: |-
+ The SELinux context to be applied to the container.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label
@@ -1646,112 +5785,93 @@ spec:
type: string
type: object
seccompProfile:
- description: The seccomp options to use by this
- container. If seccomp options are provided
- at both the pod & container level, the container
- options override the pod options. Note that
- this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ The seccomp options to use by this container. If seccomp options are
+ provided at both the pod & container level, the container options
+ override the pod options.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
- description: localhostProfile indicates
- a profile defined in a file on the node
- should be used. The profile must be preconfigured
- on the node to work. Must be a descending
- path, relative to the kubelet's configured
- seccomp profile location. Must be set
- if type is "Localhost". Must NOT be set
- for any other type.
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
- description: "type indicates which kind
- of seccomp profile will be applied. Valid
- options are: \n Localhost - a profile
- defined in a file on the node should be
- used. RuntimeDefault - the container runtime
- default profile should be used. Unconfined
- - no profile should be applied."
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
type: string
required:
- type
type: object
windowsOptions:
- description: The Windows specific settings applied
- to all containers. If unspecified, the options
- from the PodSecurityContext will be used.
- If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be
- set when spec.os.name is linux.
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options from the PodSecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
- description: GMSACredentialSpec is where
- the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
- inlines the contents of the GMSA credential
- spec named by the GMSACredentialSpecName
- field.
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the
name of the GMSA credential spec to use.
type: string
hostProcess:
- description: HostProcess determines if a
- container should be run as a 'Host Process'
- container. All of a Pod's containers must
- have the same effective HostProcess value
- (it is not allowed to have a mix of HostProcess
- containers and non-HostProcess containers).
- In addition, if HostProcess is true then
- HostNetwork must also be set to true.
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
- description: The UserName in Windows to
- run the entrypoint of the container process.
- Defaults to the user specified in image
- metadata if unspecified. May also be set
- in PodSecurityContext. If set in both
- SecurityContext and PodSecurityContext,
- the value specified in SecurityContext
- takes precedence.
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
startupProbe:
- description: 'StartupProbe indicates that the Pod
- has successfully initialized. If specified, no
- other probes are executed until this completes
- successfully. If this probe fails, the Pod will
- be restarted, just as if the livenessProbe failed.
- This can be used to provide different probe parameters
- at the beginning of a Pod''s lifecycle, when it
- might take a long time to load data or warm a
- cache, than during steady-state operation. This
- cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ StartupProbe indicates that the Pod has successfully initialized.
+ If specified, no other probes are executed until this completes successfully.
+ If this probe fails, the Pod will be restarted, just as if the livenessProbe failed.
+ This can be used to provide different probe parameters at the beginning of a Pod's lifecycle,
+ when it might take a long time to load data or warm a cache, than during steady-state operation.
+ This cannot be updated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
properties:
exec:
description: Exec specifies the action to take.
properties:
command:
- description: Command is the command line
- to execute inside the container, the working
- directory for the command is root ('/')
- in the container's filesystem. The command
- is simply exec'd, it is not run inside
- a shell, so traditional shell instructions
- ('|', etc) won't work. To use a shell,
- you need to explicitly call out to that
- shell. Exit status of 0 is treated as
- live/healthy and non-zero is unhealthy.
+ description: |-
+ Command is the command line to execute inside the container, the working directory for the
+ command is root ('/') in the container's filesystem. The command is simply exec'd, it is
+ not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use
+ a shell, you need to explicitly call out to that shell.
+ Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
failureThreshold:
- description: Minimum consecutive failures for
- the probe to be considered failed after having
- succeeded. Defaults to 3. Minimum value is
- 1.
+ description: |-
+ Minimum consecutive failures for the probe to be considered failed after having succeeded.
+ Defaults to 3. Minimum value is 1.
format: int32
type: integer
grpc:
@@ -1764,11 +5884,12 @@ spec:
format: int32
type: integer
service:
- description: "Service is the name of the
- service to place in the gRPC HealthCheckRequest
+ default: ""
+ description: |-
+ Service is the name of the service to place in the gRPC HealthCheckRequest
(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).
- \n If this is not specified, the default
- behavior is defined by gRPC."
+
+ If this is not specified, the default behavior is defined by gRPC.
type: string
required:
- port
@@ -1778,8 +5899,8 @@ spec:
to perform.
properties:
host:
- description: Host name to connect to, defaults
- to the pod IP. You probably want to set
+ description: |-
+ Host name to connect to, defaults to the pod IP. You probably want to set
"Host" in httpHeaders instead.
type: string
httpHeaders:
@@ -1790,10 +5911,9 @@ spec:
header to be used in HTTP probes
properties:
name:
- description: The header field name.
- This will be canonicalized upon
- output, so case-variant names will
- be understood as the same header.
+ description: |-
+ The header field name.
+ This will be canonicalized upon output, so case-variant names will be understood as the same header.
type: string
value:
description: The header field value
@@ -1803,6 +5923,7 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
path:
description: Path to access on the HTTP
server.
@@ -1811,35 +5932,35 @@ spec:
anyOf:
- type: integer
- type: string
- description: Name or number of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Name or number of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
scheme:
- description: Scheme to use for connecting
- to the host. Defaults to HTTP.
+ description: |-
+ Scheme to use for connecting to the host.
+ Defaults to HTTP.
type: string
required:
- port
type: object
initialDelaySeconds:
- description: 'Number of seconds after the container
- has started before liveness probes are initiated.
- More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after the container has started before liveness probes are initiated.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
periodSeconds:
- description: How often (in seconds) to perform
- the probe. Default to 10 seconds. Minimum
- value is 1.
+ description: |-
+ How often (in seconds) to perform the probe.
+ Default to 10 seconds. Minimum value is 1.
format: int32
type: integer
successThreshold:
- description: Minimum consecutive successes for
- the probe to be considered successful after
- having failed. Defaults to 1. Must be 1 for
- liveness and startup. Minimum value is 1.
+ description: |-
+ Minimum consecutive successes for the probe to be considered successful after having failed.
+ Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.
format: int32
type: integer
tcpSocket:
@@ -1854,87 +5975,76 @@ spec:
anyOf:
- type: integer
- type: string
- description: Number or name of the port
- to access on the container. Number must
- be in the range 1 to 65535. Name must
- be an IANA_SVC_NAME.
+ description: |-
+ Number or name of the port to access on the container.
+ Number must be in the range 1 to 65535.
+ Name must be an IANA_SVC_NAME.
x-kubernetes-int-or-string: true
required:
- port
type: object
terminationGracePeriodSeconds:
- description: Optional duration in seconds the
- pod needs to terminate gracefully upon probe
- failure. The grace period is the duration
- in seconds after the processes running in
- the pod are sent a termination signal and
- the time when the processes are forcibly halted
- with a kill signal. Set this value longer
- than the expected cleanup time for your process.
- If this value is nil, the pod's terminationGracePeriodSeconds
- will be used. Otherwise, this value overrides
- the value provided by the pod spec. Value
- must be non-negative integer. The value zero
- indicates stop immediately via the kill signal
- (no opportunity to shut down). This is a beta
- field and requires enabling ProbeTerminationGracePeriod
- feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
- is used if unset.
+ description: |-
+ Optional duration in seconds the pod needs to terminate gracefully upon probe failure.
+ The grace period is the duration in seconds after the processes running in the pod are sent
+ a termination signal and the time when the processes are forcibly halted with a kill signal.
+ Set this value longer than the expected cleanup time for your process.
+ If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this
+ value overrides the value provided by the pod spec.
+ Value must be non-negative integer. The value zero indicates stop immediately via
+ the kill signal (no opportunity to shut down).
+ This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate.
+ Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.
format: int64
type: integer
timeoutSeconds:
- description: 'Number of seconds after which
- the probe times out. Defaults to 1 second.
- Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+ description: |-
+ Number of seconds after which the probe times out.
+ Defaults to 1 second. Minimum value is 1.
+ More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
format: int32
type: integer
type: object
stdin:
- description: Whether this container should allocate
- a buffer for stdin in the container runtime. If
- this is not set, reads from stdin in the container
- will always result in EOF. Default is false.
+ description: |-
+ Whether this container should allocate a buffer for stdin in the container runtime. If this
+ is not set, reads from stdin in the container will always result in EOF.
+ Default is false.
type: boolean
stdinOnce:
- description: Whether the container runtime should
- close the stdin channel after it has been opened
- by a single attach. When stdin is true the stdin
- stream will remain open across multiple attach
- sessions. If stdinOnce is set to true, stdin is
- opened on container start, is empty until the
- first client attaches to stdin, and then remains
- open and accepts data until the client disconnects,
- at which time stdin is closed and remains closed
- until the container is restarted. If this flag
- is false, a container processes that reads from
- stdin will never receive an EOF. Default is false
+ description: |-
+ Whether the container runtime should close the stdin channel after it has been opened by
+ a single attach. When stdin is true the stdin stream will remain open across multiple attach
+ sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the
+ first client attaches to stdin, and then remains open and accepts data until the client disconnects,
+ at which time stdin is closed and remains closed until the container is restarted. If this
+ flag is false, a container processes that reads from stdin will never receive an EOF.
+ Default is false
type: boolean
terminationMessagePath:
- description: 'Optional: Path at which the file to
- which the container''s termination message will
- be written is mounted into the container''s filesystem.
- Message written is intended to be brief final
- status, such as an assertion failure message.
- Will be truncated by the node if greater than
- 4096 bytes. The total message length across all
- containers will be limited to 12kb. Defaults to
- /dev/termination-log. Cannot be updated.'
+ description: |-
+ Optional: Path at which the file to which the container's termination message
+ will be written is mounted into the container's filesystem.
+ Message written is intended to be brief final status, such as an assertion failure message.
+ Will be truncated by the node if greater than 4096 bytes. The total message length across
+ all containers will be limited to 12kb.
+ Defaults to /dev/termination-log.
+ Cannot be updated.
type: string
terminationMessagePolicy:
- description: Indicate how the termination message
- should be populated. File will use the contents
- of terminationMessagePath to populate the container
- status message on both success and failure. FallbackToLogsOnError
- will use the last chunk of container log output
- if the termination message file is empty and the
- container exited with an error. The log output
- is limited to 2048 bytes or 80 lines, whichever
- is smaller. Defaults to File. Cannot be updated.
+ description: |-
+ Indicate how the termination message should be populated. File will use the contents of
+ terminationMessagePath to populate the container status message on both success and failure.
+ FallbackToLogsOnError will use the last chunk of container log output if the termination
+ message file is empty and the container exited with an error.
+ The log output is limited to 2048 bytes or 80 lines, whichever is smaller.
+ Defaults to File.
+ Cannot be updated.
type: string
tty:
- description: Whether this container should allocate
- a TTY for itself, also requires 'stdin' to be
- true. Default is false.
+ description: |-
+ Whether this container should allocate a TTY for itself, also requires 'stdin' to be true.
+ Default is false.
type: boolean
volumeDevices:
description: volumeDevices is the list of block
@@ -1957,71 +6067,104 @@ spec:
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
volumeMounts:
- description: Pod volumes to mount into the container's
- filesystem. Cannot be updated.
+ description: |-
+ Pod volumes to mount into the container's filesystem.
+ Cannot be updated.
items:
description: VolumeMount describes a mounting
of a Volume within a container.
properties:
mountPath:
- description: Path within the container at
- which the volume should be mounted. Must
+ description: |-
+ Path within the container at which the volume should be mounted. Must
not contain ':'.
type: string
mountPropagation:
- description: mountPropagation determines how
- mounts are propagated from the host to container
- and the other way around. When not set,
- MountPropagationNone is used. This field
- is beta in 1.10.
+ description: |-
+ mountPropagation determines how mounts are propagated from the host
+ to container and the other way around.
+ When not set, MountPropagationNone is used.
+ This field is beta in 1.10.
+ When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified
+ (which defaults to None).
type: string
name:
description: This must match the Name of a
Volume.
type: string
readOnly:
- description: Mounted read-only if true, read-write
- otherwise (false or unspecified). Defaults
- to false.
+ description: |-
+ Mounted read-only if true, read-write otherwise (false or unspecified).
+ Defaults to false.
type: boolean
+ recursiveReadOnly:
+ description: |-
+ RecursiveReadOnly specifies whether read-only mounts should be handled
+ recursively.
+
+ If ReadOnly is false, this field has no meaning and must be unspecified.
+
+ If ReadOnly is true, and this field is set to Disabled, the mount is not made
+ recursively read-only. If this field is set to IfPossible, the mount is made
+ recursively read-only, if it is supported by the container runtime. If this
+ field is set to Enabled, the mount is made recursively read-only if it is
+ supported by the container runtime, otherwise the pod will not be started and
+ an error will be generated to indicate the reason.
+
+ If this field is set to IfPossible or Enabled, MountPropagation must be set to
+ None (or be unspecified, which defaults to None).
+
+ If this field is not specified, it is treated as an equivalent of Disabled.
+ type: string
subPath:
- description: Path within the volume from which
- the container's volume should be mounted.
+ description: |-
+ Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
type: string
subPathExpr:
- description: Expanded path within the volume
- from which the container's volume should
- be mounted. Behaves similarly to SubPath
- but environment variable references $(VAR_NAME)
- are expanded using the container's environment.
- Defaults to "" (volume's root). SubPathExpr
- and SubPath are mutually exclusive.
+ description: |-
+ Expanded path within the volume from which the container's volume should be mounted.
+ Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+ Defaults to "" (volume's root).
+ SubPathExpr and SubPath are mutually exclusive.
type: string
required:
- mountPath
- name
type: object
type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
workingDir:
- description: Container's working directory. If not
- specified, the container runtime's default will
- be used, which might be configured in the container
- image. Cannot be updated.
+ description: |-
+ Container's working directory.
+ If not specified, the container runtime's default will be used, which
+ might be configured in the container image.
+ Cannot be updated.
type: string
required:
- name
type: object
type: array
+ name:
+ description: |-
+ Name of the deployment.
+ When unset, this defaults to an autogenerated name.
+ type: string
patch:
description: Patch defines how to perform the patch operation
to deployment
properties:
type:
- description: "Type is the type of merge operation
- to perform \n By default, StrategicMerge is used
- as the patch type."
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
type: string
value:
description: Object contains the raw configuration
@@ -2042,27 +6185,20 @@ spec:
rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- affinity expressions specified by this field,
- but it may choose a node that violates one
- or more of the expressions. The node that
- is most preferred is the one with the greatest
- sum of weights, i.e. for each node that
- meets all of the scheduling requirements
- (resource request, requiredDuringScheduling
- affinity expressions, etc.), compute a sum
- by iterating through the elements of this
- field and adding "weight" to the sum if
- the node matches the corresponding matchExpressions;
- the node(s) with the highest sum are the
- most preferred.
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
items:
- description: An empty preferred scheduling
- term matches all objects with implicit
- weight 0 (i.e. it's a no-op). A null preferred
- scheduling term matches no objects (i.e.
- is also a no-op).
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
properties:
preference:
description: A node selector term, associated
@@ -2072,9 +6208,8 @@ spec:
description: A list of node selector
requirements by node's labels.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2083,42 +6218,33 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector
requirements by node's fields.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2127,35 +6253,27 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
weight:
@@ -2169,32 +6287,30 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not met at scheduling
- time, the pod will not be scheduled onto
- the node. If the affinity requirements specified
- by this field cease to be met at some point
- during pod execution (e.g. due to an update),
- the system may or may not try to eventually
- evict the pod from its node.
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node
selector terms. The terms are ORed.
items:
- description: A null or empty node selector
- term matches no objects. The requirements
- of them are ANDed. The TopologySelectorTerm
- type implements a subset of the NodeSelectorTerm.
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector
requirements by node's labels.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2203,42 +6319,33 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchFields:
description: A list of node selector
requirements by node's fields.
items:
- description: A node selector requirement
- is a selector that contains
- values, a key, and an operator
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
that relates the key and values.
properties:
key:
@@ -2247,38 +6354,31 @@ spec:
to.
type: string
operator:
- description: Represents a
- key's relationship to a
- set of values. Valid operators
- are In, NotIn, Exists, DoesNotExist.
- Gt, and Lt.
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
- description: An array of string
- values. If the operator
- is In or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the values
- array must be empty. If
- the operator is Gt or Lt,
- the values array must have
- a single element, which
- will be interpreted as an
- integer. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
type: array
+ x-kubernetes-list-type: atomic
required:
- nodeSelectorTerms
type: object
@@ -2290,21 +6390,16 @@ spec:
zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- affinity expressions specified by this field,
- but it may choose a node that violates one
- or more of the expressions. The node that
- is most preferred is the one with the greatest
- sum of weights, i.e. for each node that
- meets all of the scheduling requirements
- (resource request, requiredDuringScheduling
- affinity expressions, etc.), compute a sum
- by iterating through the elements of this
- field and adding "weight" to the sum if
- the node has pods which matches the corresponding
- podAffinityTerm; the node(s) with the highest
- sum are the most preferred.
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched
WeightedPodAffinityTerm fields are added
@@ -2316,10 +6411,9 @@ spec:
weight.
properties:
labelSelector:
- description: A label query over
- a set of resources, in this case
- pods. If it's null, this PodAffinityTerm
- matches with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions
@@ -2327,10 +6421,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2339,112 +6431,73 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a
- set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key in (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MatchLabelKeys
- and LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is
- a set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key notin (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over
- the set of namespaces that the
- term applies to. The term is applied
- to the union of the namespaces
- selected by this field and the
- ones listed in the namespaces
- field. null selector and null
- or empty namespaces list means
- "this pod's namespace". An empty
- selector ({}) matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions
@@ -2452,10 +6505,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2464,81 +6515,60 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies
- a static list of namespace names
- that the term applies to. The
- term is applied to the union of
- the namespaces listed in this
- field and the ones selected by
- namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
- description: This pod should be
- co-located (affinity) or not co-located
- (anti-affinity) with the pods
- matching the labelSelector in
- the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
- description: weight associated with
- matching the corresponding podAffinityTerm,
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
@@ -2547,46 +6577,38 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
- description: If the affinity requirements
- specified by this field are not met at scheduling
- time, the pod will not be scheduled onto
- the node. If the affinity requirements specified
- by this field cease to be met at some point
- during pod execution (e.g. due to a pod
- label update), the system may or may not
- try to eventually evict the pod from its
- node. When there are multiple elements,
- the lists of nodes corresponding to each
- podAffinityTerm are intersected, i.e. all
- terms must be satisfied.
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this pod
- should be co-located (affinity) or not
- co-located (anti-affinity) with, where
- co-located is defined as running on a
- node whose value of the label with key
- matches that of any node
- on which a pod of the set of pods is running
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set
- of resources, in this case pods. If
- it's null, this PodAffinityTerm matches
- with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -2594,115 +6616,82 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a set
- of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key in (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MatchLabelKeys and
- LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is a
- set of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key notin (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over the
- set of namespaces that the term applies
- to. The term is applied to the union
- of the namespaces selected by this
- field and the ones listed in the namespaces
- field. null selector and null or empty
- namespaces list means "this pod's
- namespace". An empty selector ({})
- matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -2710,74 +6699,59 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies a
- static list of namespace names that
- the term applies to. The term is applied
- to the union of the namespaces listed
- in this field and the ones selected
- by namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
- description: This pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with the pods matching the labelSelector
- in the specified namespaces, where
- co-located is defined as running on
- a node whose value of the label with
- key topologyKey matches that of any
- node on which any of the selected
- pods is running. Empty topologyKey
- is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling
@@ -2785,21 +6759,16 @@ spec:
node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
- description: The scheduler will prefer to
- schedule pods to nodes that satisfy the
- anti-affinity expressions specified by this
- field, but it may choose a node that violates
- one or more of the expressions. The node
- that is most preferred is the one with the
- greatest sum of weights, i.e. for each node
- that meets all of the scheduling requirements
- (resource request, requiredDuringScheduling
- anti-affinity expressions, etc.), compute
- a sum by iterating through the elements
- of this field and adding "weight" to the
- sum if the node has pods which matches the
- corresponding podAffinityTerm; the node(s)
- with the highest sum are the most preferred.
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched
WeightedPodAffinityTerm fields are added
@@ -2811,10 +6780,9 @@ spec:
weight.
properties:
labelSelector:
- description: A label query over
- a set of resources, in this case
- pods. If it's null, this PodAffinityTerm
- matches with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions
@@ -2822,10 +6790,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2834,112 +6800,73 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a
- set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key in (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MatchLabelKeys
- and LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is
- a set of pod label keys to select
- which pods will be taken into
- consideration. The keys are used
- to lookup values from the incoming
- pod labels, those key-value labels
- are merged with `LabelSelector`
- as `key notin (value)` to select
- the group of existing pods which
- pods will be taken into consideration
- for the incoming pod's pod (anti)
- affinity. Keys that don't exist
- in the incoming pod labels will
- be ignored. The default value
- is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector
- isn't set. This is an alpha field
- and requires enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over
- the set of namespaces that the
- term applies to. The term is applied
- to the union of the namespaces
- selected by this field and the
- ones listed in the namespaces
- field. null selector and null
- or empty namespaces list means
- "this pod's namespace". An empty
- selector ({}) matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions
@@ -2947,10 +6874,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -2959,81 +6884,60 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies
- a static list of namespace names
- that the term applies to. The
- term is applied to the union of
- the namespaces listed in this
- field and the ones selected by
- namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
- description: This pod should be
- co-located (affinity) or not co-located
- (anti-affinity) with the pods
- matching the labelSelector in
- the specified namespaces, where
- co-located is defined as running
- on a node whose value of the label
- with key topologyKey matches that
- of any node on which any of the
- selected pods is running. Empty
- topologyKey is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
- description: weight associated with
- matching the corresponding podAffinityTerm,
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
in the range 1-100.
format: int32
type: integer
@@ -3042,46 +6946,38 @@ spec:
- weight
type: object
type: array
+ x-kubernetes-list-type: atomic
requiredDuringSchedulingIgnoredDuringExecution:
- description: If the anti-affinity requirements
- specified by this field are not met at scheduling
- time, the pod will not be scheduled onto
- the node. If the anti-affinity requirements
- specified by this field cease to be met
- at some point during pod execution (e.g.
- due to a pod label update), the system may
- or may not try to eventually evict the pod
- from its node. When there are multiple elements,
- the lists of nodes corresponding to each
- podAffinityTerm are intersected, i.e. all
- terms must be satisfied.
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
items:
- description: Defines a set of pods (namely
- those matching the labelSelector relative
- to the given namespace(s)) that this pod
- should be co-located (affinity) or not
- co-located (anti-affinity) with, where
- co-located is defined as running on a
- node whose value of the label with key
- matches that of any node
- on which a pod of the set of pods is running
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
properties:
labelSelector:
- description: A label query over a set
- of resources, in this case pods. If
- it's null, this PodAffinityTerm matches
- with no Pods.
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -3089,115 +6985,82 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: MatchLabelKeys is a set
- of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key in (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MatchLabelKeys and
- LabelSelector. Also, MatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
mismatchLabelKeys:
- description: MismatchLabelKeys is a
- set of pod label keys to select which
- pods will be taken into consideration.
- The keys are used to lookup values
- from the incoming pod labels, those
- key-value labels are merged with `LabelSelector`
- as `key notin (value)` to select the
- group of existing pods which pods
- will be taken into consideration for
- the incoming pod's pod (anti) affinity.
- Keys that don't exist in the incoming
- pod labels will be ignored. The default
- value is empty. The same key is forbidden
- to exist in both MismatchLabelKeys
- and LabelSelector. Also, MismatchLabelKeys
- cannot be set when LabelSelector isn't
- set. This is an alpha field and requires
- enabling MatchLabelKeysInPodAffinity
- feature gate.
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
namespaceSelector:
- description: A label query over the
- set of namespaces that the term applies
- to. The term is applied to the union
- of the namespaces selected by this
- field and the ones listed in the namespaces
- field. null selector and null or empty
- namespaces list means "this pod's
- namespace". An empty selector ({})
- matches all namespaces.
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
properties:
matchExpressions:
description: matchExpressions is
a list of label selector requirements.
The requirements are ANDed.
items:
- description: A label selector
- requirement is a selector that
- contains values, a key, and
- an operator that relates the
- key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -3205,100 +7068,87 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to
- a set of values. Valid operators
- are In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an
- array of string values.
- If the operator is In or
- NotIn, the values array
- must be non-empty. If the
- operator is Exists or DoesNotExist,
- the values array must be
- empty. This array is replaced
- during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map
- of {key,value} pairs. A single
- {key,value} in the matchLabels
- map is equivalent to an element
- of matchExpressions, whose key
- field is "key", the operator is
- "In", and the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
- description: namespaces specifies a
- static list of namespace names that
- the term applies to. The term is applied
- to the union of the namespaces listed
- in this field and the ones selected
- by namespaceSelector. null or empty
- namespaces list and null namespaceSelector
- means "this pod's namespace".
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
topologyKey:
- description: This pod should be co-located
- (affinity) or not co-located (anti-affinity)
- with the pods matching the labelSelector
- in the specified namespaces, where
- co-located is defined as running on
- a node whose value of the label with
- key topologyKey matches that of any
- node on which any of the selected
- pods is running. Empty topologyKey
- is not allowed.
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
type: object
annotations:
additionalProperties:
type: string
- description: Annotations are the annotations that
- should be appended to the pods. By default, no pod
- annotations are appended.
+ description: |-
+ Annotations are the annotations that should be appended to the pods.
+ By default, no pod annotations are appended.
type: object
imagePullSecrets:
- description: 'ImagePullSecrets is an optional list
- of references to secrets in the same namespace to
- use for pulling any of the images used by this PodSpec.
- If specified, these secrets will be passed to individual
- puller implementations for them to use. More info:
- https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
+ description: |-
+ ImagePullSecrets is an optional list of references to secrets
+ in the same namespace to use for pulling any of the images used by this PodSpec.
+ If specified, these secrets will be passed to individual puller implementations for them to use.
+ More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
items:
- description: LocalObjectReference contains enough
- information to let you locate the referenced object
- inside the same namespace.
+ description: |-
+ LocalObjectReference contains enough information to let you locate the
+ referenced object inside the same namespace.
properties:
name:
- description: 'Name of the referent. More info:
- https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
@@ -3306,92 +7156,107 @@ spec:
labels:
additionalProperties:
type: string
- description: Labels are the additional labels that
- should be tagged to the pods. By default, no additional
- pod labels are tagged.
+ description: |-
+ Labels are the additional labels that should be tagged to the pods.
+ By default, no additional pod labels are tagged.
type: object
nodeSelector:
additionalProperties:
type: string
- description: 'NodeSelector is a selector which must
- be true for the pod to fit on a node. Selector which
- must match a node''s labels for the pod to be scheduled
- on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+ description: |-
+ NodeSelector is a selector which must be true for the pod to fit on a node.
+ Selector which must match a node's labels for the pod to be scheduled on that node.
+ More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
type: object
securityContext:
- description: 'SecurityContext holds pod-level security
- attributes and common container settings. Optional:
- Defaults to empty. See type description for default
- values of each field.'
+ description: |-
+ SecurityContext holds pod-level security attributes and common container settings.
+ Optional: Defaults to empty. See type description for default values of each field.
properties:
+ appArmorProfile:
+ description: |-
+ appArmorProfile is the AppArmor options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
+ properties:
+ localhostProfile:
+ description: |-
+ localhostProfile indicates a profile loaded on the node that should be used.
+ The profile must be preconfigured on the node to work.
+ Must match the loaded name of the profile.
+ Must be set if and only if type is "Localhost".
+ type: string
+ type:
+ description: |-
+ type indicates which kind of AppArmor profile will be applied.
+ Valid options are:
+ Localhost - a profile pre-loaded on the node.
+ RuntimeDefault - the container runtime's default profile.
+ Unconfined - no AppArmor enforcement.
+ type: string
+ required:
+ - type
+ type: object
fsGroup:
- description: "A special supplemental group that
- applies to all containers in a pod. Some volume
- types allow the Kubelet to change the ownership
- of that volume to be owned by the pod: \n 1.
- The owning GID will be the FSGroup 2. The setgid
- bit is set (new files created in the volume
- will be owned by FSGroup) 3. The permission
- bits are OR'd with rw-rw---- \n If unset, the
- Kubelet will not modify the ownership and permissions
- of any volume. Note that this field cannot be
- set when spec.os.name is windows."
+ description: |-
+ A special supplemental group that applies to all containers in a pod.
+ Some volume types allow the Kubelet to change the ownership of that volume
+ to be owned by the pod:
+
+ 1. The owning GID will be the FSGroup
+ 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ 3. The permission bits are OR'd with rw-rw----
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
fsGroupChangePolicy:
- description: 'fsGroupChangePolicy defines behavior
- of changing ownership and permission of the
- volume before being exposed inside Pod. This
- field will only apply to volume types which
- support fsGroup based ownership(and permissions).
- It will have no effect on ephemeral volume types
- such as: secret, configmaps and emptydir. Valid
- values are "OnRootMismatch" and "Always". If
- not specified, "Always" is used. Note that this
- field cannot be set when spec.os.name is windows.'
+ description: |-
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
+ before being exposed inside Pod. This field will only apply to
+ volume types which support fsGroup based ownership(and permissions).
+ It will have no effect on ephemeral volume types such as: secret, configmaps
+ and emptydir.
+ Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
+ Note that this field cannot be set when spec.os.name is windows.
type: string
runAsGroup:
- description: The GID to run the entrypoint of
- the container process. Uses runtime default
- if unset. May also be set in SecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence for that container. Note that this
- field cannot be set when spec.os.name is windows.
+ description: |-
+ The GID to run the entrypoint of the container process.
+ Uses runtime default if unset.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
runAsNonRoot:
- description: Indicates that the container must
- run as a non-root user. If true, the Kubelet
- will validate the image at runtime to ensure
- that it does not run as UID 0 (root) and fail
- to start the container if it does. If unset
- or false, no such validation will be performed.
- May also be set in SecurityContext. If set
- in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence.
+ description: |-
+ Indicates that the container must run as a non-root user.
+ If true, the Kubelet will validate the image at runtime to ensure that it
+ does not run as UID 0 (root) and fail to start the container if it does.
+ If unset or false, no such validation will be performed.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: boolean
runAsUser:
- description: The UID to run the entrypoint of
- the container process. Defaults to user specified
- in image metadata if unspecified. May also be
- set in SecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence for that
- container. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ The UID to run the entrypoint of the container process.
+ Defaults to user specified in image metadata if unspecified.
+ May also be set in SecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence
+ for that container.
+ Note that this field cannot be set when spec.os.name is windows.
format: int64
type: integer
seLinuxOptions:
- description: The SELinux context to be applied
- to all containers. If unspecified, the container
- runtime will allocate a random SELinux context
- for each container. May also be set in SecurityContext. If
- set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence for that container. Note that this
- field cannot be set when spec.os.name is windows.
+ description: |-
+ The SELinux context to be applied to all containers.
+ If unspecified, the container runtime will allocate a random SELinux context for each
+ container. May also be set in SecurityContext. If set in
+ both SecurityContext and PodSecurityContext, the value specified in SecurityContext
+ takes precedence for that container.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
level:
description: Level is SELinux level label
@@ -3411,55 +7276,58 @@ spec:
type: string
type: object
seccompProfile:
- description: The seccomp options to use by the
- containers in this pod. Note that this field
- cannot be set when spec.os.name is windows.
+ description: |-
+ The seccomp options to use by the containers in this pod.
+ Note that this field cannot be set when spec.os.name is windows.
properties:
localhostProfile:
- description: localhostProfile indicates a
- profile defined in a file on the node should
- be used. The profile must be preconfigured
- on the node to work. Must be a descending
- path, relative to the kubelet's configured
- seccomp profile location. Must be set if
- type is "Localhost". Must NOT be set for
- any other type.
+ description: |-
+ localhostProfile indicates a profile defined in a file on the node should be used.
+ The profile must be preconfigured on the node to work.
+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
+ Must be set if type is "Localhost". Must NOT be set for any other type.
type: string
type:
- description: "type indicates which kind of
- seccomp profile will be applied. Valid options
- are: \n Localhost - a profile defined in
- a file on the node should be used. RuntimeDefault
- - the container runtime default profile
- should be used. Unconfined - no profile
- should be applied."
+ description: |-
+ type indicates which kind of seccomp profile will be applied.
+ Valid options are:
+
+ Localhost - a profile defined in a file on the node should be used.
+ RuntimeDefault - the container runtime default profile should be used.
+ Unconfined - no profile should be applied.
type: string
required:
- type
type: object
supplementalGroups:
- description: A list of groups applied to the first
- process run in each container, in addition to
- the container's primary GID, the fsGroup (if
- specified), and group memberships defined in
- the container image for the uid of the container
- process. If unspecified, no additional groups
- are added to any container. Note that group
- memberships defined in the container image for
- the uid of the container process are still effective,
- even if they are not included in this list.
- Note that this field cannot be set when spec.os.name
- is windows.
+ description: |-
+ A list of groups applied to the first process run in each container, in
+ addition to the container's primary GID and fsGroup (if specified). If
+ the SupplementalGroupsPolicy feature is enabled, the
+ supplementalGroupsPolicy field determines whether these are in addition
+ to or instead of any group memberships defined in the container image.
+ If unspecified, no additional groups are added, though group memberships
+ defined in the container image may still be used, depending on the
+ supplementalGroupsPolicy field.
+ Note that this field cannot be set when spec.os.name is windows.
items:
format: int64
type: integer
type: array
+ x-kubernetes-list-type: atomic
+ supplementalGroupsPolicy:
+ description: |-
+ Defines how supplemental groups of the first container processes are calculated.
+ Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
+ (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
+ and the container runtime must implement support for this feature.
+ Note that this field cannot be set when spec.os.name is windows.
+ type: string
sysctls:
- description: Sysctls hold a list of namespaced
- sysctls used for the pod. Pods with unsupported
- sysctls (by the container runtime) might fail
- to launch. Note that this field cannot be set
- when spec.os.name is windows.
+ description: |-
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
+ sysctls (by the container runtime) might fail to launch.
+ Note that this field cannot be set when spec.os.name is windows.
items:
description: Sysctl defines a kernel parameter
to be set
@@ -3475,108 +7343,92 @@ spec:
- value
type: object
type: array
+ x-kubernetes-list-type: atomic
windowsOptions:
- description: The Windows specific settings applied
- to all containers. If unspecified, the options
- within a container's SecurityContext will be
- used. If set in both SecurityContext and PodSecurityContext,
- the value specified in SecurityContext takes
- precedence. Note that this field cannot be set
- when spec.os.name is linux.
+ description: |-
+ The Windows specific settings applied to all containers.
+ If unspecified, the options within a container's SecurityContext will be used.
+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ Note that this field cannot be set when spec.os.name is linux.
properties:
gmsaCredentialSpec:
- description: GMSACredentialSpec is where the
- GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa)
- inlines the contents of the GMSA credential
- spec named by the GMSACredentialSpecName
- field.
+ description: |-
+ GMSACredentialSpec is where the GMSA admission webhook
+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
+ GMSA credential spec named by the GMSACredentialSpecName field.
type: string
gmsaCredentialSpecName:
description: GMSACredentialSpecName is the
name of the GMSA credential spec to use.
type: string
hostProcess:
- description: HostProcess determines if a container
- should be run as a 'Host Process' container.
- All of a Pod's containers must have the
- same effective HostProcess value (it is
- not allowed to have a mix of HostProcess
- containers and non-HostProcess containers).
- In addition, if HostProcess is true then
- HostNetwork must also be set to true.
+ description: |-
+ HostProcess determines if a container should be run as a 'Host Process' container.
+ All of a Pod's containers must have the same effective HostProcess value
+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
+ In addition, if HostProcess is true then HostNetwork must also be set to true.
type: boolean
runAsUserName:
- description: The UserName in Windows to run
- the entrypoint of the container process.
- Defaults to the user specified in image
- metadata if unspecified. May also be set
- in PodSecurityContext. If set in both SecurityContext
- and PodSecurityContext, the value specified
- in SecurityContext takes precedence.
+ description: |-
+ The UserName in Windows to run the entrypoint of the container process.
+ Defaults to the user specified in image metadata if unspecified.
+ May also be set in PodSecurityContext. If set in both SecurityContext and
+ PodSecurityContext, the value specified in SecurityContext takes precedence.
type: string
type: object
type: object
tolerations:
description: If specified, the pod's tolerations.
items:
- description: The pod this Toleration is attached
- to tolerates any taint that matches the triple
- using the matching operator
- .
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
properties:
effect:
- description: Effect indicates the taint effect
- to match. Empty means match all taint effects.
- When specified, allowed values are NoSchedule,
- PreferNoSchedule and NoExecute.
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
- description: Key is the taint key that the toleration
- applies to. Empty means match all taint keys.
- If the key is empty, operator must be Exists;
- this combination means to match all values
- and all keys.
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
type: string
operator:
- description: Operator represents a key's relationship
- to the value. Valid operators are Exists and
- Equal. Defaults to Equal. Exists is equivalent
- to wildcard for value, so that a pod can tolerate
- all taints of a particular category.
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
type: string
tolerationSeconds:
- description: TolerationSeconds represents the
- period of time the toleration (which must
- be of effect NoExecute, otherwise this field
- is ignored) tolerates the taint. By default,
- it is not set, which means tolerate the taint
- forever (do not evict). Zero and negative
- values will be treated as 0 (evict immediately)
- by the system.
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
format: int64
type: integer
value:
- description: Value is the taint value the toleration
- matches to. If the operator is Exists, the
- value should be empty, otherwise just a regular
- string.
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
type: string
type: object
type: array
topologySpreadConstraints:
- description: TopologySpreadConstraints describes how
- a group of pods ought to spread across topology
- domains. Scheduler will schedule pods in a way which
- abides by the constraints. All topologySpreadConstraints
- are ANDed.
+ description: |-
+ TopologySpreadConstraints describes how a group of pods ought to spread across topology
+ domains. Scheduler will schedule pods in a way which abides by the constraints.
+ All topologySpreadConstraints are ANDed.
items:
description: TopologySpreadConstraint specifies
how to spread matching pods among the given topology.
properties:
labelSelector:
- description: LabelSelector is used to find matching
- pods. Pods that match this label selector
- are counted to determine the number of pods
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
in their corresponding topology domain.
properties:
matchExpressions:
@@ -3584,193 +7436,159 @@ spec:
of label selector requirements. The requirements
are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label key
that the selector applies to.
type: string
operator:
- description: operator represents a
- key's relationship to a set of values.
- Valid operators are In, NotIn, Exists
- and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array of
- string values. If the operator is
- In or NotIn, the values array must
- be non-empty. If the operator is
- Exists or DoesNotExist, the values
- array must be empty. This array
- is replaced during a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of {key,value}
- pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
matchLabelKeys:
- description: "MatchLabelKeys is a set of pod
- label keys to select the pods over which spreading
- will be calculated. The keys are used to lookup
- values from the incoming pod labels, those
- key-value labels are ANDed with labelSelector
- to select the group of existing pods over
- which spreading will be calculated for the
- incoming pod. The same key is forbidden to
- exist in both MatchLabelKeys and LabelSelector.
- MatchLabelKeys cannot be set when LabelSelector
- isn't set. Keys that don't exist in the incoming
- pod labels will be ignored. A null or empty
- list means only match against labelSelector.
- \n This is a beta field and requires the MatchLabelKeysInPodTopologySpread
- feature gate to be enabled (enabled by default)."
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
items:
type: string
type: array
x-kubernetes-list-type: atomic
maxSkew:
- description: 'MaxSkew describes the degree to
- which pods may be unevenly distributed. When
- `whenUnsatisfiable=DoNotSchedule`, it is the
- maximum permitted difference between the number
- of matching pods in the target topology and
- the global minimum. The global minimum is
- the minimum number of matching pods in an
- eligible domain or zero if the number of eligible
- domains is less than MinDomains. For example,
- in a 3-zone cluster, MaxSkew is set to 1,
- and pods with the same labelSelector spread
- as 2/2/1: In this case, the global minimum
- is 1. | zone1 | zone2 | zone3 | | P P | P
- P | P | - if MaxSkew is 1, incoming pod
- can only be scheduled to zone3 to become 2/2/2;
- scheduling it onto zone1(zone2) would make
- the ActualSkew(3-1) on zone1(zone2) violate
- MaxSkew(1). - if MaxSkew is 2, incoming pod
- can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`,
- it is used to give higher precedence to topologies
- that satisfy it. It''s a required field. Default
- value is 1 and 0 is not allowed.'
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
format: int32
type: integer
minDomains:
- description: "MinDomains indicates a minimum
- number of eligible domains. When the number
- of eligible domains with matching topology
- keys is less than minDomains, Pod Topology
- Spread treats \"global minimum\" as 0, and
- then the calculation of Skew is performed.
- And when the number of eligible domains with
- matching topology keys equals or greater than
- minDomains, this value has no effect on scheduling.
- As a result, when the number of eligible domains
- is less than minDomains, scheduler won't schedule
- more than maxSkew Pods to those domains. If
- value is nil, the constraint behaves as if
- MinDomains is equal to 1. Valid values are
- integers greater than 0. When value is not
- nil, WhenUnsatisfiable must be DoNotSchedule.
- \n For example, in a 3-zone cluster, MaxSkew
- is set to 2, MinDomains is set to 5 and pods
- with the same labelSelector spread as 2/2/2:
- | zone1 | zone2 | zone3 | | P P | P P |
- \ P P | The number of domains is less than
- 5(MinDomains), so \"global minimum\" is treated
- as 0. In this situation, new pod with the
- same labelSelector cannot be scheduled, because
- computed skew will be 3(3 - 0) if new Pod
- is scheduled to any of the three zones, it
- will violate MaxSkew. \n This is a beta field
- and requires the MinDomainsInPodTopologySpread
- feature gate to be enabled (enabled by default)."
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
format: int32
type: integer
nodeAffinityPolicy:
- description: "NodeAffinityPolicy indicates how
- we will treat Pod's nodeAffinity/nodeSelector
- when calculating pod topology spread skew.
- Options are: - Honor: only nodes matching
- nodeAffinity/nodeSelector are included in
- the calculations. - Ignore: nodeAffinity/nodeSelector
- are ignored. All nodes are included in the
- calculations. \n If this value is nil, the
- behavior is equivalent to the Honor policy.
- This is a beta-level feature default enabled
- by the NodeInclusionPolicyInPodTopologySpread
- feature flag."
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
nodeTaintsPolicy:
- description: "NodeTaintsPolicy indicates how
- we will treat node taints when calculating
- pod topology spread skew. Options are: - Honor:
- nodes without taints, along with tainted nodes
- for which the incoming pod has a toleration,
- are included. - Ignore: node taints are ignored.
- All nodes are included. \n If this value is
- nil, the behavior is equivalent to the Ignore
- policy. This is a beta-level feature default
- enabled by the NodeInclusionPolicyInPodTopologySpread
- feature flag."
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
type: string
topologyKey:
- description: TopologyKey is the key of node
- labels. Nodes that have a label with this
- key and identical values are considered to
- be in the same topology. We consider each
- as a "bucket", and try to put
- balanced number of pods into each bucket.
- We define a domain as a particular instance
- of a topology. Also, we define an eligible
- domain as a domain whose nodes meet the requirements
- of nodeAffinityPolicy and nodeTaintsPolicy.
- e.g. If TopologyKey is "kubernetes.io/hostname",
- each Node is a domain of that topology. And,
- if TopologyKey is "topology.kubernetes.io/zone",
- each zone is a domain of that topology. It's
- a required field.
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
type: string
whenUnsatisfiable:
- description: 'WhenUnsatisfiable indicates how
- to deal with a pod if it doesn''t satisfy
- the spread constraint. - DoNotSchedule (default)
- tells the scheduler not to schedule it. -
- ScheduleAnyway tells the scheduler to schedule
- the pod in any location, but giving higher
- precedence to topologies that would help reduce
- the skew. A constraint is considered "Unsatisfiable"
- for an incoming pod if and only if every possible
- node assignment for that pod would violate
- "MaxSkew" on some topology. For example, in
- a 3-zone cluster, MaxSkew is set to 1, and
- pods with the same labelSelector spread as
- 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P |
- If WhenUnsatisfiable is set to DoNotSchedule,
- incoming pod can only be scheduled to zone2(zone3)
- to become 3/2/1(3/1/2) as ActualSkew(2-1)
- on zone2(zone3) satisfies MaxSkew(1). In other
- words, the cluster can still be imbalanced,
- but scheduler won''t make it *more* imbalanced.
- It''s a required field.'
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
type: string
required:
- maxSkew
@@ -3779,49 +7597,44 @@ spec:
type: object
type: array
volumes:
- description: 'Volumes that can be mounted by containers
- belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes'
+ description: |-
+ Volumes that can be mounted by containers belonging to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes
items:
description: Volume represents a named volume in
a pod that may be accessed by any container in
the pod.
properties:
awsElasticBlockStore:
- description: 'awsElasticBlockStore represents
- an AWS Disk resource that is attached to a
- kubelet''s host machine and then exposed to
- the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
+ description: |-
+ awsElasticBlockStore represents an AWS Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
properties:
fsType:
- description: 'fsType is the filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
type: string
partition:
- description: 'partition is the partition
- in the volume that you want to mount.
- If omitted, the default is to mount by
- volume name. Examples: For volume /dev/sda1,
- you specify the partition as "1". Similarly,
- the volume partition for /dev/sda is "0"
- (or you can leave the property empty).'
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
format: int32
type: integer
readOnly:
- description: 'readOnly value true will force
- the readOnly setting in VolumeMounts.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
+ description: |-
+ readOnly value true will force the readOnly setting in VolumeMounts.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: boolean
volumeID:
- description: 'volumeID is unique ID of the
- persistent disk resource in AWS (Amazon
- EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore'
+ description: |-
+ volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore
type: string
required:
- volumeID
@@ -3844,11 +7657,11 @@ spec:
disk in the blob storage
type: string
fsType:
- description: fsType is Filesystem type to
- mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ default: ext4
+ description: |-
+ fsType is Filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
kind:
description: 'kind expected values are Shared:
@@ -3858,8 +7671,9 @@ spec:
availability set). defaults to shared'
type: string
readOnly:
- description: readOnly Defaults to false
- (read/write). ReadOnly here will force
+ default: false
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
required:
@@ -3872,8 +7686,8 @@ spec:
the pod.
properties:
readOnly:
- description: readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretName:
@@ -3894,85 +7708,91 @@ spec:
on the host that shares a pod's lifetime
properties:
monitors:
- description: 'monitors is Required: Monitors
- is a collection of Ceph monitors More
- info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ monitors is Required: Monitors is a collection of Ceph monitors
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
path:
description: 'path is Optional: Used as
the mounted root, rather than the full
Ceph tree, default is /'
type: string
readOnly:
- description: 'readOnly is Optional: Defaults
- to false (read/write). ReadOnly here will
- force the ReadOnly setting in VolumeMounts.
- More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: boolean
secretFile:
- description: 'secretFile is Optional: SecretFile
- is the path to key ring for User, default
- is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
secretRef:
- description: 'secretRef is Optional: SecretRef
- is reference to the authentication secret
- for User, default is empty. More info:
- https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty.
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
user:
- description: 'user is optional: User is
- the rados user name, default is admin
- More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it'
+ description: |-
+ user is optional: User is the rados user name, default is admin
+ More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it
type: string
required:
- monitors
type: object
cinder:
- description: 'cinder represents a cinder volume
- attached and mounted on kubelets host machine.
- More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
+ description: |-
+ cinder represents a cinder volume attached and mounted on kubelets host machine.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
properties:
fsType:
- description: 'fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Examples:
- "ext4", "xfs", "ntfs". Implicitly inferred
- to be "ext4" if unspecified. More info:
- https://examples.k8s.io/mysql-cinder-pd/README.md'
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
readOnly:
- description: 'readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
- More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: boolean
secretRef:
- description: 'secretRef is optional: points
- to a secret object containing parameters
- used to connect to OpenStack.'
+ description: |-
+ secretRef is optional: points to a secret object containing parameters used to connect
+ to OpenStack.
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
volumeID:
- description: 'volumeID used to identify
- the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md'
+ description: |-
+ volumeID used to identify the volume in cinder.
+ More info: https://examples.k8s.io/mysql-cinder-pd/README.md
type: string
required:
- volumeID
@@ -3982,34 +7802,25 @@ spec:
that should populate this volume
properties:
defaultMode:
- description: 'defaultMode is optional: mode
- bits used to set permissions on created
- files by default. Must be an octal value
- between 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts both octal
- and decimal values, JSON requires decimal
- values for mode bits. Defaults to 0644.
- Directories within the path are not affected
- by this setting. This might be in conflict
- with other options that affect the file
- mode, like fsGroup, and the result can
- be other mode bits set.'
+ description: |-
+ defaultMode is optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
- description: items if unspecified, each
- key-value pair in the Data field of the
- referenced ConfigMap will be projected
- into the volume as a file whose name is
- the key and content is the value. If specified,
- the listed keys will be projected into
- the specified paths, and unlisted keys
- will not be present. If a key is specified
- which is not present in the ConfigMap,
- the volume setup will error unless it
- is marked optional. Paths must be relative
- and may not contain the '..' path or start
- with '..'.
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
@@ -4018,39 +7829,36 @@ spec:
description: key is the key to project.
type: string
mode:
- description: 'mode is Optional: mode
- bits used to set permissions on
- this file. Must be an octal value
- between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts
- both octal and decimal values, JSON
- requires decimal values for mode
- bits. If not specified, the volume
- defaultMode will be used. This might
- be in conflict with other options
- that affect the file mode, like
- fsGroup, and the result can be other
- mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the relative
- path of the file to map the key
- to. May not be an absolute path.
- May not contain the path element
- '..'. May not start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
- description: 'Name of the referent. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
optional:
description: optional specify whether the
@@ -4064,49 +7872,46 @@ spec:
by certain external CSI drivers (Beta feature).
properties:
driver:
- description: driver is the name of the CSI
- driver that handles this volume. Consult
- with your admin for the correct name as
- registered in the cluster.
+ description: |-
+ driver is the name of the CSI driver that handles this volume.
+ Consult with your admin for the correct name as registered in the cluster.
type: string
fsType:
- description: fsType to mount. Ex. "ext4",
- "xfs", "ntfs". If not provided, the empty
- value is passed to the associated CSI
- driver which will determine the default
- filesystem to apply.
+ description: |-
+ fsType to mount. Ex. "ext4", "xfs", "ntfs".
+ If not provided, the empty value is passed to the associated CSI driver
+ which will determine the default filesystem to apply.
type: string
nodePublishSecretRef:
- description: nodePublishSecretRef is a reference
- to the secret object containing sensitive
- information to pass to the CSI driver
- to complete the CSI NodePublishVolume
- and NodeUnpublishVolume calls. This field
- is optional, and may be empty if no secret
- is required. If the secret object contains
- more than one secret, all secret references
- are passed.
+ description: |-
+ nodePublishSecretRef is a reference to the secret object containing
+ sensitive information to pass to the CSI driver to complete the CSI
+ NodePublishVolume and NodeUnpublishVolume calls.
+ This field is optional, and may be empty if no secret is required. If the
+ secret object contains more than one secret, all secret references are passed.
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
readOnly:
- description: readOnly specifies a read-only
- configuration for the volume. Defaults
- to false (read/write).
+ description: |-
+ readOnly specifies a read-only configuration for the volume.
+ Defaults to false (read/write).
type: boolean
volumeAttributes:
additionalProperties:
type: string
- description: volumeAttributes stores driver-specific
- properties that are passed to the CSI
- driver. Consult your driver's documentation
- for supported values.
+ description: |-
+ volumeAttributes stores driver-specific properties that are passed to the CSI
+ driver. Consult your driver's documentation for supported values.
type: object
required:
- driver
@@ -4117,20 +7922,15 @@ spec:
volume
properties:
defaultMode:
- description: 'Optional: mode bits to use
- on created files by default. Must be a
- Optional: mode bits used to set permissions
- on created files by default. Must be an
- octal value between 0000 and 0777 or a
- decimal value between 0 and 511. YAML
- accepts both octal and decimal values,
- JSON requires decimal values for mode
- bits. Defaults to 0644. Directories within
- the path are not affected by this setting.
- This might be in conflict with other options
- that affect the file mode, like fsGroup,
- and the result can be other mode bits
- set.'
+ description: |-
+ Optional: mode bits to use on created files by default. Must be a
+ Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
@@ -4144,7 +7944,8 @@ spec:
fieldRef:
description: 'Required: Selects a
field of the pod: only annotations,
- labels, name and namespace are supported.'
+ labels, name, namespace and uid
+ are supported.'
properties:
apiVersion:
description: Version of the schema
@@ -4161,19 +7962,13 @@ spec:
type: object
x-kubernetes-map-type: atomic
mode:
- description: 'Optional: mode bits
- used to set permissions on this
- file, must be an octal value between
- 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts
- both octal and decimal values, JSON
- requires decimal values for mode
- bits. If not specified, the volume
- defaultMode will be used. This might
- be in conflict with other options
- that affect the file mode, like
- fsGroup, and the result can be other
- mode bits set.'
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
@@ -4186,11 +7981,9 @@ spec:
with ''..'''
type: string
resourceFieldRef:
- description: 'Selects a resource of
- the container: only resources limits
- and requests (limits.cpu, limits.memory,
- requests.cpu and requests.memory)
- are currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container name:
@@ -4218,140 +8011,122 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
emptyDir:
- description: 'emptyDir represents a temporary
- directory that shares a pod''s lifetime. More
- info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
+ description: |-
+ emptyDir represents a temporary directory that shares a pod's lifetime.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
properties:
medium:
- description: 'medium represents what type
- of storage medium should back this directory.
- The default is "" which means to use the
- node''s default medium. Must be an empty
- string (default) or Memory. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
+ description: |-
+ medium represents what type of storage medium should back this directory.
+ The default is "" which means to use the node's default medium.
+ Must be an empty string (default) or Memory.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
type: string
sizeLimit:
anyOf:
- type: integer
- type: string
- description: 'sizeLimit is the total amount
- of local storage required for this EmptyDir
- volume. The size limit is also applicable
- for memory medium. The maximum usage on
- memory medium EmptyDir would be the minimum
- value between the SizeLimit specified
- here and the sum of memory limits of all
- containers in a pod. The default is nil
- which means that the limit is undefined.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir'
+ description: |-
+ sizeLimit is the total amount of local storage required for this EmptyDir volume.
+ The size limit is also applicable for memory medium.
+ The maximum usage on memory medium EmptyDir would be the minimum value between
+ the SizeLimit specified here and the sum of memory limits of all containers in a pod.
+ The default is nil which means that the limit is undefined.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type: object
ephemeral:
- description: "ephemeral represents a volume
- that is handled by a cluster storage driver.
- The volume's lifecycle is tied to the pod
- that defines it - it will be created before
- the pod starts, and deleted when the pod is
- removed. \n Use this if: a) the volume is
- only needed while the pod runs, b) features
- of normal volumes like restoring from snapshot
- or capacity tracking are needed, c) the storage
- driver is specified through a storage class,
- and d) the storage driver supports dynamic
- volume provisioning through a PersistentVolumeClaim
- (see EphemeralVolumeSource for more information
- on the connection between this volume type
- and PersistentVolumeClaim). \n Use PersistentVolumeClaim
- or one of the vendor-specific APIs for volumes
- that persist for longer than the lifecycle
- of an individual pod. \n Use CSI for light-weight
- local ephemeral volumes if the CSI driver
- is meant to be used that way - see the documentation
- of the driver for more information. \n A pod
- can use both types of ephemeral volumes and
- persistent volumes at the same time."
+ description: |-
+ ephemeral represents a volume that is handled by a cluster storage driver.
+ The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts,
+ and deleted when the pod is removed.
+
+ Use this if:
+ a) the volume is only needed while the pod runs,
+ b) features of normal volumes like restoring from snapshot or capacity
+ tracking are needed,
+ c) the storage driver is specified through a storage class, and
+ d) the storage driver supports dynamic volume provisioning through
+ a PersistentVolumeClaim (see EphemeralVolumeSource for more
+ information on the connection between this volume type
+ and PersistentVolumeClaim).
+
+ Use PersistentVolumeClaim or one of the vendor-specific
+ APIs for volumes that persist for longer than the lifecycle
+ of an individual pod.
+
+ Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to
+ be used that way - see the documentation of the driver for
+ more information.
+
+ A pod can use both types of ephemeral volumes and
+ persistent volumes at the same time.
properties:
volumeClaimTemplate:
- description: "Will be used to create a stand-alone
- PVC to provision the volume. The pod in
- which this EphemeralVolumeSource is embedded
- will be the owner of the PVC, i.e. the
- PVC will be deleted together with the
- pod. The name of the PVC will be `-` where ``
- is the name from the `PodSpec.Volumes`
- array entry. Pod validation will reject
- the pod if the concatenated name is not
- valid for a PVC (for example, too long).
- \n An existing PVC with that name that
- is not owned by the pod will *not* be
- used for the pod to avoid using an unrelated
- volume by mistake. Starting the pod is
- then blocked until the unrelated PVC is
- removed. If such a pre-created PVC is
- meant to be used by the pod, the PVC has
- to updated with an owner reference to
- the pod once the pod exists. Normally
- this should not be necessary, but it may
- be useful when manually reconstructing
- a broken cluster. \n This field is read-only
- and no changes will be made by Kubernetes
+ description: |-
+ Will be used to create a stand-alone PVC to provision the volume.
+ The pod in which this EphemeralVolumeSource is embedded will be the
+ owner of the PVC, i.e. the PVC will be deleted together with the
+ pod. The name of the PVC will be `-` where
+ `` is the name from the `PodSpec.Volumes` array
+ entry. Pod validation will reject the pod if the concatenated name
+ is not valid for a PVC (for example, too long).
+
+ An existing PVC with that name that is not owned by the pod
+ will *not* be used for the pod to avoid using an unrelated
+ volume by mistake. Starting the pod is then blocked until
+ the unrelated PVC is removed. If such a pre-created PVC is
+ meant to be used by the pod, the PVC has to updated with an
+ owner reference to the pod once the pod exists. Normally
+ this should not be necessary, but it may be useful when
+ manually reconstructing a broken cluster.
+
+ This field is read-only and no changes will be made by Kubernetes
to the PVC after it has been created.
- \n Required, must not be nil."
+
+ Required, must not be nil.
properties:
metadata:
- description: May contain labels and
- annotations that will be copied into
- the PVC when creating it. No other
- fields are allowed and will be rejected
- during validation.
+ description: |-
+ May contain labels and annotations that will be copied into the PVC
+ when creating it. No other fields are allowed and will be rejected during
+ validation.
type: object
spec:
- description: The specification for the
- PersistentVolumeClaim. The entire
- content is copied unchanged into the
- PVC that gets created from this template.
- The same fields as in a PersistentVolumeClaim
+ description: |-
+ The specification for the PersistentVolumeClaim. The entire content is
+ copied unchanged into the PVC that gets created from this
+ template. The same fields as in a PersistentVolumeClaim
are also valid here.
properties:
accessModes:
- description: 'accessModes contains
- the desired access modes the volume
- should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1'
+ description: |-
+ accessModes contains the desired access modes the volume should have.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
dataSource:
- description: 'dataSource field can
- be used to specify either: * An
- existing VolumeSnapshot object
- (snapshot.storage.k8s.io/VolumeSnapshot)
+ description: |-
+ dataSource field can be used to specify either:
+ * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)
* An existing PVC (PersistentVolumeClaim)
- If the provisioner or an external
- controller can support the specified
- data source, it will create a
- new volume based on the contents
- of the specified data source.
- When the AnyVolumeDataSource feature
- gate is enabled, dataSource contents
- will be copied to dataSourceRef,
- and dataSourceRef contents will
- be copied to dataSource when dataSourceRef.namespace
- is not specified. If the namespace
- is specified, then dataSourceRef
- will not be copied to dataSource.'
+ If the provisioner or an external controller can support the specified data source,
+ it will create a new volume based on the contents of the specified data source.
+ When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef,
+ and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified.
+ If the namespace is specified, then dataSourceRef will not be copied to dataSource.
properties:
apiGroup:
- description: APIGroup is the
- group for the resource being
- referenced. If APIGroup is
- not specified, the specified
- Kind must be in the core API
- group. For any other third-party
- types, APIGroup is required.
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type
@@ -4367,59 +8142,36 @@ spec:
type: object
x-kubernetes-map-type: atomic
dataSourceRef:
- description: 'dataSourceRef specifies
- the object from which to populate
- the volume with data, if a non-empty
- volume is desired. This may be
- any object from a non-empty API
- group (non core object) or a PersistentVolumeClaim
- object. When this field is specified,
- volume binding will only succeed
- if the type of the specified object
- matches some installed volume
- populator or dynamic provisioner.
- This field will replace the functionality
- of the dataSource field and as
- such if both fields are non-empty,
- they must have the same value.
- For backwards compatibility, when
- namespace isn''t specified in
- dataSourceRef, both fields (dataSource
- and dataSourceRef) will be set
- to the same value automatically
- if one of them is empty and the
- other is non-empty. When namespace
- is specified in dataSourceRef,
- dataSource isn''t set to the same
- value and must be empty. There
- are three important differences
- between dataSource and dataSourceRef:
- * While dataSource only allows
- two specific types of objects,
- dataSourceRef allows any non-core
- object, as well as PersistentVolumeClaim
- objects. * While dataSource ignores
- disallowed values (dropping them),
- dataSourceRef preserves all values,
- and generates an error if a disallowed
- value is specified. * While dataSource
- only allows local objects, dataSourceRef
- allows objects in any namespaces.
- (Beta) Using this field requires
- the AnyVolumeDataSource feature
- gate to be enabled. (Alpha) Using
- the namespace field of dataSourceRef
- requires the CrossNamespaceVolumeDataSource
- feature gate to be enabled.'
+ description: |-
+ dataSourceRef specifies the object from which to populate the volume with data, if a non-empty
+ volume is desired. This may be any object from a non-empty API group (non
+ core object) or a PersistentVolumeClaim object.
+ When this field is specified, volume binding will only succeed if the type of
+ the specified object matches some installed volume populator or dynamic
+ provisioner.
+ This field will replace the functionality of the dataSource field and as such
+ if both fields are non-empty, they must have the same value. For backwards
+ compatibility, when namespace isn't specified in dataSourceRef,
+ both fields (dataSource and dataSourceRef) will be set to the same
+ value automatically if one of them is empty and the other is non-empty.
+ When namespace is specified in dataSourceRef,
+ dataSource isn't set to the same value and must be empty.
+ There are three important differences between dataSource and dataSourceRef:
+ * While dataSource only allows two specific types of objects, dataSourceRef
+ allows any non-core object, as well as PersistentVolumeClaim objects.
+ * While dataSource ignores disallowed values (dropping them), dataSourceRef
+ preserves all values, and generates an error if a disallowed value is
+ specified.
+ * While dataSource only allows local objects, dataSourceRef allows objects
+ in any namespaces.
+ (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled.
+ (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
properties:
apiGroup:
- description: APIGroup is the
- group for the resource being
- referenced. If APIGroup is
- not specified, the specified
- Kind must be in the core API
- group. For any other third-party
- types, APIGroup is required.
+ description: |-
+ APIGroup is the group for the resource being referenced.
+ If APIGroup is not specified, the specified Kind must be in the core API group.
+ For any other third-party types, APIGroup is required.
type: string
kind:
description: Kind is the type
@@ -4430,35 +8182,22 @@ spec:
of resource being referenced
type: string
namespace:
- description: Namespace is the
- namespace of resource being
- referenced Note that when
- a namespace is specified,
- a gateway.networking.k8s.io/ReferenceGrant
- object is required in the
- referent namespace to allow
- that namespace's owner to
- accept the reference. See
- the ReferenceGrant documentation
- for details. (Alpha) This
- field requires the CrossNamespaceVolumeDataSource
- feature gate to be enabled.
+ description: |-
+ Namespace is the namespace of resource being referenced
+ Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details.
+ (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.
type: string
required:
- kind
- name
type: object
resources:
- description: 'resources represents
- the minimum resources the volume
- should have. If RecoverVolumeExpansionFailure
- feature is enabled users are allowed
- to specify resource requirements
- that are lower than previous value
- but must still be higher than
- capacity recorded in the status
- field of the claim. More info:
- https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources'
+ description: |-
+ resources represents the minimum resources the volume should have.
+ If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements
+ that are lower than previous value but must still be higher than capacity recorded in the
+ status field of the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources
properties:
limits:
additionalProperties:
@@ -4467,10 +8206,9 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Limits describes
- the maximum amount of compute
- resources allowed. More info:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Limits describes the maximum amount of compute resources allowed.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
@@ -4479,15 +8217,11 @@ spec:
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
- description: 'Requests describes
- the minimum amount of compute
- resources required. If Requests
- is omitted for a container,
- it defaults to Limits if that
- is explicitly specified, otherwise
- to an implementation-defined
- value. Requests cannot exceed
- Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: |-
+ Requests describes the minimum amount of compute resources required.
+ If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+ otherwise to an implementation-defined value. Requests cannot exceed Limits.
+ More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
selector:
@@ -4501,10 +8235,8 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values, a
- key, and an operator that
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -4513,89 +8245,60 @@ spec:
applies to.
type: string
operator:
- description: operator
- represents a key's relationship
- to a set of values.
- Valid operators are
- In, NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is
- an array of string values.
- If the operator is In
- or NotIn, the values
- array must be non-empty.
- If the operator is Exists
- or DoesNotExist, the
- values array must be
- empty. This array is
- replaced during a strategic
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in the
- matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
storageClassName:
- description: 'storageClassName is
- the name of the StorageClass required
- by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1'
+ description: |-
+ storageClassName is the name of the StorageClass required by the claim.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1
type: string
volumeAttributesClassName:
- description: 'volumeAttributesClassName
- may be used to set the VolumeAttributesClass
- used by this claim. If specified,
- the CSI driver will create or
- update the volume with the attributes
- defined in the corresponding VolumeAttributesClass.
- This has a different purpose than
- storageClassName, it can be changed
- after the claim is created. An
- empty string value means that
- no VolumeAttributesClass will
- be applied to the claim but it''s
- not allowed to reset this field
- to empty string once it is set.
- If unspecified and the PersistentVolumeClaim
- is unbound, the default VolumeAttributesClass
- will be set by the persistentvolume
- controller if it exists. If the
- resource referred to by volumeAttributesClass
- does not exist, this PersistentVolumeClaim
- will be set to a Pending state,
- as reflected by the modifyVolumeStatus
- field, until such as a resource
- exists. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass
- (Alpha) Using this field requires
- the VolumeAttributesClass feature
- gate to be enabled.'
+ description: |-
+ volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.
+ If specified, the CSI driver will create or update the volume with the attributes defined
+ in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName,
+ it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass
+ will be applied to the claim but it's not allowed to reset this field to empty string once it is set.
+ If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass
+ will be set by the persistentvolume controller if it exists.
+ If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
+ set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
+ exists.
+ More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
- description: volumeMode defines
- what type of volume is required
- by the claim. Value of Filesystem
- is implied when not included in
- claim spec.
+ description: |-
+ volumeMode defines what type of volume is required by the claim.
+ Value of Filesystem is implied when not included in claim spec.
type: string
volumeName:
description: volumeName is the binding
@@ -4613,13 +8316,10 @@ spec:
and then exposed to the pod.
properties:
fsType:
- description: 'fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified. TODO: how do
- we prevent errors in the filesystem from
- compromising the machine'
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
lun:
description: 'lun is Optional: FC target
@@ -4627,9 +8327,9 @@ spec:
format: int32
type: integer
readOnly:
- description: 'readOnly is Optional: Defaults
- to false (read/write). ReadOnly here will
- force the ReadOnly setting in VolumeMounts.'
+ description: |-
+ readOnly is Optional: Defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
type: boolean
targetWWNs:
description: 'targetWWNs is Optional: FC
@@ -4637,30 +8337,30 @@ spec:
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
wwids:
- description: 'wwids Optional: FC volume
- world wide identifiers (wwids) Either
- wwids or combination of targetWWNs and
- lun must be set, but not both simultaneously.'
+ description: |-
+ wwids Optional: FC volume world wide identifiers (wwids)
+ Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
type: object
flexVolume:
- description: flexVolume represents a generic
- volume resource that is provisioned/attached
- using an exec based plugin.
+ description: |-
+ flexVolume represents a generic volume resource that is
+ provisioned/attached using an exec based plugin.
properties:
driver:
description: driver is the name of the driver
to use for this volume.
type: string
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". The default filesystem
- depends on FlexVolume script.
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.
type: string
options:
additionalProperties:
@@ -4669,24 +8369,26 @@ spec:
field holds extra command options if any.'
type: object
readOnly:
- description: 'readOnly is Optional: defaults
- to false (read/write). ReadOnly here will
- force the ReadOnly setting in VolumeMounts.'
+ description: |-
+ readOnly is Optional: defaults to false (read/write). ReadOnly here will force
+ the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
- description: 'secretRef is Optional: secretRef
- is reference to the secret object containing
- sensitive information to pass to the plugin
- scripts. This may be empty if no secret
- object is specified. If the secret object
- contains more than one secret, all secrets
- are passed to the plugin scripts.'
+ description: |-
+ secretRef is Optional: secretRef is reference to the secret object containing
+ sensitive information to pass to the plugin scripts. This may be
+ empty if no secret object is specified. If the secret object
+ contains more than one secret, all secrets are passed to the plugin
+ scripts.
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
@@ -4700,10 +8402,9 @@ spec:
running
properties:
datasetName:
- description: datasetName is Name of the
- dataset stored as metadata -> name on
- the dataset for Flocker should be considered
- as deprecated
+ description: |-
+ datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker
+ should be considered as deprecated
type: string
datasetUUID:
description: datasetUUID is the UUID of
@@ -4712,62 +8413,54 @@ spec:
type: string
type: object
gcePersistentDisk:
- description: 'gcePersistentDisk represents a
- GCE Disk resource that is attached to a kubelet''s
- host machine and then exposed to the pod.
- More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ gcePersistentDisk represents a GCE Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
properties:
fsType:
- description: 'fsType is filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
type: string
partition:
- description: 'partition is the partition
- in the volume that you want to mount.
- If omitted, the default is to mount by
- volume name. Examples: For volume /dev/sda1,
- you specify the partition as "1". Similarly,
- the volume partition for /dev/sda is "0"
- (or you can leave the property empty).
- More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ partition is the partition in the volume that you want to mount.
+ If omitted, the default is to mount by volume name.
+ Examples: For volume /dev/sda1, you specify the partition as "1".
+ Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
format: int32
type: integer
pdName:
- description: 'pdName is unique name of the
- PD resource in GCE. Used to identify the
- disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: string
readOnly:
- description: 'readOnly here will force the
- ReadOnly setting in VolumeMounts. Defaults
- to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk'
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk
type: boolean
required:
- pdName
type: object
gitRepo:
- description: 'gitRepo represents a git repository
- at a particular revision. DEPRECATED: GitRepo
- is deprecated. To provision a container with
- a git repo, mount an EmptyDir into an InitContainer
- that clones the repo using git, then mount
- the EmptyDir into the Pod''s container.'
+ description: |-
+ gitRepo represents a git repository at a particular revision.
+ DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an
+ EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir
+ into the Pod's container.
properties:
directory:
- description: directory is the target directory
- name. Must not contain or start with '..'. If
- '.' is supplied, the volume directory
- will be the git repository. Otherwise,
- if specified, the volume will contain
- the git repository in the subdirectory
- with the given name.
+ description: |-
+ directory is the target directory name.
+ Must not contain or start with '..'. If '.' is supplied, the volume directory will be the
+ git repository. Otherwise, if specified, the volume will contain the git repository in
+ the subdirectory with the given name.
type: string
repository:
description: repository is the URL
@@ -4780,59 +8473,93 @@ spec:
- repository
type: object
glusterfs:
- description: 'glusterfs represents a Glusterfs
- mount on the host that shares a pod''s lifetime.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md'
+ description: |-
+ glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md
properties:
endpoints:
- description: 'endpoints is the endpoint
- name that details Glusterfs topology.
- More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
+ description: |-
+ endpoints is the endpoint name that details Glusterfs topology.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
path:
- description: 'path is the Glusterfs volume
- path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
+ description: |-
+ path is the Glusterfs volume path.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: string
readOnly:
- description: 'readOnly here will force the
- Glusterfs volume to be mounted with read-only
- permissions. Defaults to false. More info:
- https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod'
+ description: |-
+ readOnly here will force the Glusterfs volume to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod
type: boolean
required:
- endpoints
- path
type: object
hostPath:
- description: 'hostPath represents a pre-existing
- file or directory on the host machine that
- is directly exposed to the container. This
- is generally used for system agents or other
- privileged things that are allowed to see
- the host machine. Most containers will NOT
- need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
- --- TODO(jonesdl) We need to restrict who
- can use host directory mounts and who can/can
- not mount host directories as read/write.'
+ description: |-
+ hostPath represents a pre-existing file or directory on the host
+ machine that is directly exposed to the container. This is generally
+ used for system agents or other privileged things that are allowed
+ to see the host machine. Most containers will NOT need this.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
properties:
path:
- description: 'path of the directory on the
- host. If the path is a symlink, it will
- follow the link to the real path. More
- info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
+ description: |-
+ path of the directory on the host.
+ If the path is a symlink, it will follow the link to the real path.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
type:
- description: 'type for HostPath Volume Defaults
- to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath'
+ description: |-
+ type for HostPath Volume
+ Defaults to ""
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath
type: string
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
- description: 'iscsi represents an ISCSI Disk
- resource that is attached to a kubelet''s
- host machine and then exposed to the pod.
- More info: https://examples.k8s.io/volumes/iscsi/README.md'
+ description: |-
+ iscsi represents an ISCSI Disk resource that is attached to a
+ kubelet's host machine and then exposed to the pod.
+ More info: https://examples.k8s.io/volumes/iscsi/README.md
properties:
chapAuthDiscovery:
description: chapAuthDiscovery defines whether
@@ -4843,31 +8570,27 @@ spec:
support iSCSI Session CHAP authentication
type: boolean
fsType:
- description: 'fsType is the filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
type: string
initiatorName:
- description: initiatorName is the custom
- iSCSI Initiator Name. If initiatorName
- is specified with iscsiInterface simultaneously,
- new iSCSI interface : will be created for the connection.
+ description: |-
+ initiatorName is the custom iSCSI Initiator Name.
+ If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface
+ : will be created for the connection.
type: string
iqn:
description: iqn is the target iSCSI Qualified
Name.
type: string
iscsiInterface:
- description: iscsiInterface is the interface
- Name that uses an iSCSI transport. Defaults
- to 'default' (tcp).
+ default: default
+ description: |-
+ iscsiInterface is the interface Name that uses an iSCSI transport.
+ Defaults to 'default' (tcp).
type: string
lun:
description: lun represents iSCSI Target
@@ -4875,35 +8598,37 @@ spec:
format: int32
type: integer
portals:
- description: portals is the iSCSI Target
- Portal List. The portal is either an IP
- or ip_addr:port if the port is other than
- default (typically TCP ports 860 and 3260).
+ description: |-
+ portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
readOnly:
- description: readOnly here will force the
- ReadOnly setting in VolumeMounts. Defaults
- to false.
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
type: boolean
secretRef:
description: secretRef is the CHAP Secret
for iSCSI target and initiator authentication
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
targetPortal:
- description: targetPortal is iSCSI Target
- Portal. The Portal is either an IP or
- ip_addr:port if the port is other than
- default (typically TCP ports 860 and 3260).
+ description: |-
+ targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port
+ is other than default (typically TCP ports 860 and 3260).
type: string
required:
- iqn
@@ -4911,48 +8636,51 @@ spec:
- targetPortal
type: object
name:
- description: 'name of the volume. Must be a
- DNS_LABEL and unique within the pod. More
- info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ description: |-
+ name of the volume.
+ Must be a DNS_LABEL and unique within the pod.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
nfs:
- description: 'nfs represents an NFS mount on
- the host that shares a pod''s lifetime More
- info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ nfs represents an NFS mount on the host that shares a pod's lifetime
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
properties:
path:
- description: 'path that is exported by the
- NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ path that is exported by the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
readOnly:
- description: 'readOnly here will force the
- NFS export to be mounted with read-only
- permissions. Defaults to false. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ readOnly here will force the NFS export to be mounted with read-only permissions.
+ Defaults to false.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: boolean
server:
- description: 'server is the hostname or
- IP address of the NFS server. More info:
- https://kubernetes.io/docs/concepts/storage/volumes#nfs'
+ description: |-
+ server is the hostname or IP address of the NFS server.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs
type: string
required:
- path
- server
type: object
persistentVolumeClaim:
- description: 'persistentVolumeClaimVolumeSource
- represents a reference to a PersistentVolumeClaim
- in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+ description: |-
+ persistentVolumeClaimVolumeSource represents a reference to a
+ PersistentVolumeClaim in the same namespace.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
properties:
claimName:
- description: 'claimName is the name of a
- PersistentVolumeClaim in the same namespace
- as the pod using this volume. More info:
- https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims'
+ description: |-
+ claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims
type: string
readOnly:
- description: readOnly Will force the ReadOnly
- setting in VolumeMounts. Default false.
+ description: |-
+ readOnly Will force the ReadOnly setting in VolumeMounts.
+ Default false.
type: boolean
required:
- claimName
@@ -4963,11 +8691,10 @@ spec:
and mounted on kubelets host machine
properties:
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
pdID:
description: pdID is the ID that identifies
@@ -4982,15 +8709,14 @@ spec:
machine
properties:
fsType:
- description: fSType represents the filesystem
- type to mount Must be a filesystem type
- supported by the host operating system.
- Ex. "ext4", "xfs". Implicitly inferred
- to be "ext4" if unspecified.
+ description: |-
+ fSType represents the filesystem type to mount
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
- description: readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
volumeID:
@@ -5006,55 +8732,45 @@ spec:
API
properties:
defaultMode:
- description: defaultMode are the mode bits
- used to set permissions on created files
- by default. Must be an octal value between
- 0000 and 0777 or a decimal value between
- 0 and 511. YAML accepts both octal and
- decimal values, JSON requires decimal
- values for mode bits. Directories within
- the path are not affected by this setting.
- This might be in conflict with other options
- that affect the file mode, like fsGroup,
- and the result can be other mode bits
- set.
+ description: |-
+ defaultMode are the mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
sources:
- description: sources is the list of volume
- projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
- description: "ClusterTrustBundle allows
- a pod to access the `.spec.trustBundle`
- field of ClusterTrustBundle objects
- in an auto-updating file. \n Alpha,
- gated by the ClusterTrustBundleProjection
- feature gate. \n ClusterTrustBundle
- objects can either be selected by
- name, or by the combination of signer
- name and a label selector. \n Kubelet
- performs aggressive normalization
- of the PEM contents written into
- the pod filesystem. Esoteric PEM
- features such as inter-block comments
- and block headers are stripped.
- \ Certificates are deduplicated.
- The ordering of certificates within
- the file is arbitrary, and Kubelet
- may change the order over time."
+ description: |-
+ ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field
+ of ClusterTrustBundle objects in an auto-updating file.
+
+ Alpha, gated by the ClusterTrustBundleProjection feature gate.
+
+ ClusterTrustBundle objects can either be selected by name, or by the
+ combination of signer name and a label selector.
+
+ Kubelet performs aggressive normalization of the PEM contents written
+ into the pod filesystem. Esoteric PEM features such as inter-block
+ comments and block headers are stripped. Certificates are deduplicated.
+ The ordering of certificates within the file is arbitrary, and Kubelet
+ may change the order over time.
properties:
labelSelector:
- description: Select all ClusterTrustBundles
- that match this label selector. Only
- has effect if signerName is
- set. Mutually-exclusive with
- name. If unset, interpreted
- as "match nothing". If set
- but empty, interpreted as "match
+ description: |-
+ Select all ClusterTrustBundles that match this label selector. Only has
+ effect if signerName is set. Mutually-exclusive with name. If unset,
+ interpreted as "match nothing". If set but empty, interpreted as "match
everything".
properties:
matchExpressions:
@@ -5063,12 +8779,9 @@ spec:
requirements. The requirements
are ANDed.
items:
- description: A label selector
- requirement is a selector
- that contains values,
- a key, and an operator
- that relates the key and
- values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is
@@ -5077,67 +8790,48 @@ spec:
to.
type: string
operator:
- description: operator
- represents a key's
- relationship to a
- set of values. Valid
- operators are In,
- NotIn, Exists and
- DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values
- is an array of string
- values. If the operator
- is In or NotIn, the
- values array must
- be non-empty. If the
- operator is Exists
- or DoesNotExist, the
- values array must
- be empty. This array
- is replaced during
- a strategic merge
- patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is
- a map of {key,value} pairs.
- A single {key,value} in
- the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key",
- the operator is "In", and
- the values array contains
- only "value". The requirements
- are ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
name:
- description: Select a single ClusterTrustBundle
- by object name. Mutually-exclusive
+ description: |-
+ Select a single ClusterTrustBundle by object name. Mutually-exclusive
with signerName and labelSelector.
type: string
optional:
- description: If true, don't block
- pod startup if the referenced
- ClusterTrustBundle(s) aren't
- available. If using name, then
- the named ClusterTrustBundle
- is allowed not to exist. If
- using signerName, then the combination
- of signerName and labelSelector
- is allowed to match zero ClusterTrustBundles.
+ description: |-
+ If true, don't block pod startup if the referenced ClusterTrustBundle(s)
+ aren't available. If using name, then the named ClusterTrustBundle is
+ allowed not to exist. If using signerName, then the combination of
+ signerName and labelSelector is allowed to match zero
+ ClusterTrustBundles.
type: boolean
path:
description: Relative path from
@@ -5145,11 +8839,10 @@ spec:
bundle.
type: string
signerName:
- description: Select all ClusterTrustBundles
- that match this signer name.
- Mutually-exclusive with name. The
- contents of all selected ClusterTrustBundles
- will be unified and deduplicated.
+ description: |-
+ Select all ClusterTrustBundles that match this signer name.
+ Mutually-exclusive with name. The contents of all selected
+ ClusterTrustBundles will be unified and deduplicated.
type: string
required:
- path
@@ -5159,23 +8852,14 @@ spec:
about the configMap data to project
properties:
items:
- description: items if unspecified,
- each key-value pair in the Data
- field of the referenced ConfigMap
- will be projected into the volume
- as a file whose name is the
- key and content is the value.
- If specified, the listed keys
- will be projected into the specified
- paths, and unlisted keys will
- not be present. If a key is
- specified which is not present
- in the ConfigMap, the volume
- setup will error unless it is
- marked optional. Paths must
- be relative and may not contain
- the '..' path or start with
- '..'.
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ ConfigMap will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the ConfigMap,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key
to a path within a volume.
@@ -5185,46 +8869,36 @@ spec:
key to project.
type: string
mode:
- description: 'mode is Optional:
- mode bits used to set
- permissions on this file.
- Must be an octal value
- between 0000 and 0777
- or a decimal value between
- 0 and 511. YAML accepts
- both octal and decimal
- values, JSON requires
- decimal values for mode
- bits. If not specified,
- the volume defaultMode
- will be used. This might
- be in conflict with other
- options that affect the
- file mode, like fsGroup,
- and the result can be
- other mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the
- relative path of the file
- to map the key to. May
- not be an absolute path.
- May not contain the path
- element '..'. May not
- start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields.
- apiVersion, kind, uid?'
type: string
optional:
description: optional specify
@@ -5250,8 +8924,8 @@ spec:
description: 'Required:
Selects a field of the
pod: only annotations,
- labels, name and namespace
- are supported.'
+ labels, name, namespace
+ and uid are supported.'
properties:
apiVersion:
description: Version
@@ -5271,24 +8945,13 @@ spec:
type: object
x-kubernetes-map-type: atomic
mode:
- description: 'Optional:
- mode bits used to set
- permissions on this file,
- must be an octal value
- between 0000 and 0777
- or a decimal value between
- 0 and 511. YAML accepts
- both octal and decimal
- values, JSON requires
- decimal values for mode
- bits. If not specified,
- the volume defaultMode
- will be used. This might
- be in conflict with other
- options that affect the
- file mode, like fsGroup,
- and the result can be
- other mode bits set.'
+ description: |-
+ Optional: mode bits used to set permissions on this file, must be an octal value
+ between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
@@ -5304,13 +8967,9 @@ spec:
''..'''
type: string
resourceFieldRef:
- description: 'Selects a
- resource of the container:
- only resources limits
- and requests (limits.cpu,
- limits.memory, requests.cpu
- and requests.memory) are
- currently supported.'
+ description: |-
+ Selects a resource of the container: only resources limits and requests
+ (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.
properties:
containerName:
description: 'Container
@@ -5340,28 +8999,21 @@ spec:
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
secret:
description: secret information about
the secret data to project
properties:
items:
- description: items if unspecified,
- each key-value pair in the Data
- field of the referenced Secret
- will be projected into the volume
- as a file whose name is the
- key and content is the value.
- If specified, the listed keys
- will be projected into the specified
- paths, and unlisted keys will
- not be present. If a key is
- specified which is not present
- in the Secret, the volume setup
- will error unless it is marked
- optional. Paths must be relative
- and may not contain the '..'
- path or start with '..'.
+ description: |-
+ items if unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key
to a path within a volume.
@@ -5371,46 +9023,36 @@ spec:
key to project.
type: string
mode:
- description: 'mode is Optional:
- mode bits used to set
- permissions on this file.
- Must be an octal value
- between 0000 and 0777
- or a decimal value between
- 0 and 511. YAML accepts
- both octal and decimal
- values, JSON requires
- decimal values for mode
- bits. If not specified,
- the volume defaultMode
- will be used. This might
- be in conflict with other
- options that affect the
- file mode, like fsGroup,
- and the result can be
- other mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the
- relative path of the file
- to map the key to. May
- not be an absolute path.
- May not contain the path
- element '..'. May not
- start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields.
- apiVersion, kind, uid?'
type: string
optional:
description: optional field specify
@@ -5425,73 +9067,62 @@ spec:
data to project
properties:
audience:
- description: audience is the intended
- audience of the token. A recipient
- of a token must identify itself
- with an identifier specified
- in the audience of the token,
- and otherwise should reject
- the token. The audience defaults
- to the identifier of the apiserver.
+ description: |-
+ audience is the intended audience of the token. A recipient of a token
+ must identify itself with an identifier specified in the audience of the
+ token, and otherwise should reject the token. The audience defaults to the
+ identifier of the apiserver.
type: string
expirationSeconds:
- description: expirationSeconds
- is the requested duration of
- validity of the service account
- token. As the token approaches
- expiration, the kubelet volume
- plugin will proactively rotate
- the service account token. The
- kubelet will start trying to
- rotate the token if the token
- is older than 80 percent of
- its time to live or if the token
- is older than 24 hours.Defaults
- to 1 hour and must be at least
- 10 minutes.
+ description: |-
+ expirationSeconds is the requested duration of validity of the service
+ account token. As the token approaches expiration, the kubelet volume
+ plugin will proactively rotate the service account token. The kubelet will
+ start trying to rotate the token if the token is older than 80 percent of
+ its time to live or if the token is older than 24 hours.Defaults to 1 hour
+ and must be at least 10 minutes.
format: int64
type: integer
path:
- description: path is the path
- relative to the mount point
- of the file to project the token
- into.
+ description: |-
+ path is the path relative to the mount point of the file to project the
+ token into.
type: string
required:
- path
type: object
type: object
type: array
+ x-kubernetes-list-type: atomic
type: object
quobyte:
description: quobyte represents a Quobyte mount
on the host that shares a pod's lifetime
properties:
group:
- description: group to map volume access
- to Default is no group
+ description: |-
+ group to map volume access to
+ Default is no group
type: string
readOnly:
- description: readOnly here will force the
- Quobyte volume to be mounted with read-only
- permissions. Defaults to false.
+ description: |-
+ readOnly here will force the Quobyte volume to be mounted with read-only permissions.
+ Defaults to false.
type: boolean
registry:
- description: registry represents a single
- or multiple Quobyte Registry services
- specified as a string as host:port pair
- (multiple entries are separated with commas)
- which acts as the central registry for
- volumes
+ description: |-
+ registry represents a single or multiple Quobyte Registry services
+ specified as a string as host:port pair (multiple entries are separated with commas)
+ which acts as the central registry for volumes
type: string
tenant:
- description: tenant owning the given Quobyte
- volume in the Backend Used with dynamically
- provisioned Quobyte volumes, value is
- set by the plugin
+ description: |-
+ tenant owning the given Quobyte volume in the Backend
+ Used with dynamically provisioned Quobyte volumes, value is set by the plugin
type: string
user:
- description: user to map volume access to
+ description: |-
+ user to map volume access to
Defaults to serivceaccount user
type: string
volume:
@@ -5503,61 +9134,74 @@ spec:
- volume
type: object
rbd:
- description: 'rbd represents a Rados Block Device
- mount on the host that shares a pod''s lifetime.
- More info: https://examples.k8s.io/volumes/rbd/README.md'
+ description: |-
+ rbd represents a Rados Block Device mount on the host that shares a pod's lifetime.
+ More info: https://examples.k8s.io/volumes/rbd/README.md
properties:
fsType:
- description: 'fsType is the filesystem type
- of the volume that you want to mount.
- Tip: Ensure that the filesystem type is
- supported by the host operating system.
- Examples: "ext4", "xfs", "ntfs". Implicitly
- inferred to be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type of the volume that you want to mount.
+ Tip: Ensure that the filesystem type is supported by the host operating system.
+ Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd
- TODO: how do we prevent errors in the
- filesystem from compromising the machine'
type: string
image:
- description: 'image is the rados image name.
- More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ image is the rados image name.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
- description: 'keyring is the path to key
- ring for RBDUser. Default is /etc/ceph/keyring.
- More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ default: /etc/ceph/keyring
+ description: |-
+ keyring is the path to key ring for RBDUser.
+ Default is /etc/ceph/keyring.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
monitors:
- description: 'monitors is a collection of
- Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ monitors is a collection of Ceph monitors.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
pool:
- description: 'pool is the rados pool name.
- Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ default: rbd
+ description: |-
+ pool is the rados pool name.
+ Default is rbd.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
readOnly:
- description: 'readOnly here will force the
- ReadOnly setting in VolumeMounts. Defaults
- to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ readOnly here will force the ReadOnly setting in VolumeMounts.
+ Defaults to false.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: boolean
secretRef:
- description: 'secretRef is name of the authentication
- secret for RBDUser. If provided overrides
- keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ description: |-
+ secretRef is name of the authentication secret for RBDUser. If provided
+ overrides keyring.
+ Default is nil.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
user:
- description: 'user is the rados user name.
- Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it'
+ default: admin
+ description: |-
+ user is the rados user name.
+ Default is admin.
+ More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
required:
- image
@@ -5569,10 +9213,12 @@ spec:
nodes.
properties:
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Default is "xfs".
+ default: xfs
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs".
+ Default is "xfs".
type: string
gateway:
description: gateway is the host address
@@ -5584,21 +9230,23 @@ spec:
configured storage.
type: string
readOnly:
- description: readOnly Defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
- description: secretRef references to the
- secret for ScaleIO user and other sensitive
- information. If this is not provided,
- Login operation will fail.
+ description: |-
+ secretRef references to the secret for ScaleIO user and other
+ sensitive information. If this is not provided, Login operation will fail.
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
@@ -5608,9 +9256,10 @@ spec:
false
type: boolean
storageMode:
- description: storageMode indicates whether
- the storage for a volume should be ThickProvisioned
- or ThinProvisioned. Default is ThinProvisioned.
+ default: ThinProvisioned
+ description: |-
+ storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
+ Default is ThinProvisioned.
type: string
storagePool:
description: storagePool is the ScaleIO
@@ -5622,10 +9271,9 @@ spec:
system as configured in ScaleIO.
type: string
volumeName:
- description: volumeName is the name of a
- volume already created in the ScaleIO
- system that is associated with this volume
- source.
+ description: |-
+ volumeName is the name of a volume already created in the ScaleIO system
+ that is associated with this volume source.
type: string
required:
- gateway
@@ -5633,38 +9281,30 @@ spec:
- system
type: object
secret:
- description: 'secret represents a secret that
- should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+ description: |-
+ secret represents a secret that should populate this volume.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
properties:
defaultMode:
- description: 'defaultMode is Optional: mode
- bits used to set permissions on created
- files by default. Must be an octal value
- between 0000 and 0777 or a decimal value
- between 0 and 511. YAML accepts both octal
- and decimal values, JSON requires decimal
- values for mode bits. Defaults to 0644.
- Directories within the path are not affected
- by this setting. This might be in conflict
- with other options that affect the file
- mode, like fsGroup, and the result can
- be other mode bits set.'
+ description: |-
+ defaultMode is Optional: mode bits used to set permissions on created files by default.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values
+ for mode bits. Defaults to 0644.
+ Directories within the path are not affected by this setting.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
items:
- description: items If unspecified, each
- key-value pair in the Data field of the
- referenced Secret will be projected into
- the volume as a file whose name is the
- key and content is the value. If specified,
- the listed keys will be projected into
- the specified paths, and unlisted keys
- will not be present. If a key is specified
- which is not present in the Secret, the
- volume setup will error unless it is marked
- optional. Paths must be relative and may
- not contain the '..' path or start with
- '..'.
+ description: |-
+ items If unspecified, each key-value pair in the Data field of the referenced
+ Secret will be projected into the volume as a file whose name is the
+ key and content is the value. If specified, the listed keys will be
+ projected into the specified paths, and unlisted keys will not be
+ present. If a key is specified which is not present in the Secret,
+ the volume setup will error unless it is marked optional. Paths must be
+ relative and may not contain the '..' path or start with '..'.
items:
description: Maps a string key to a path
within a volume.
@@ -5673,42 +9313,36 @@ spec:
description: key is the key to project.
type: string
mode:
- description: 'mode is Optional: mode
- bits used to set permissions on
- this file. Must be an octal value
- between 0000 and 0777 or a decimal
- value between 0 and 511. YAML accepts
- both octal and decimal values, JSON
- requires decimal values for mode
- bits. If not specified, the volume
- defaultMode will be used. This might
- be in conflict with other options
- that affect the file mode, like
- fsGroup, and the result can be other
- mode bits set.'
+ description: |-
+ mode is Optional: mode bits used to set permissions on this file.
+ Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
+ YAML accepts both octal and decimal values, JSON requires decimal values for mode bits.
+ If not specified, the volume defaultMode will be used.
+ This might be in conflict with other options that affect the file
+ mode, like fsGroup, and the result can be other mode bits set.
format: int32
type: integer
path:
- description: path is the relative
- path of the file to map the key
- to. May not be an absolute path.
- May not contain the path element
- '..'. May not start with the string
- '..'.
+ description: |-
+ path is the relative path of the file to map the key to.
+ May not be an absolute path.
+ May not contain the path element '..'.
+ May not start with the string '..'.
type: string
required:
- key
- path
type: object
type: array
+ x-kubernetes-list-type: atomic
optional:
description: optional field specify whether
the Secret or its keys must be defined
type: boolean
secretName:
- description: 'secretName is the name of
- the secret in the pod''s namespace to
- use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret'
+ description: |-
+ secretName is the name of the secret in the pod's namespace to use.
+ More info: https://kubernetes.io/docs/concepts/storage/volumes#secret
type: string
type: object
storageos:
@@ -5717,48 +9351,45 @@ spec:
nodes.
properties:
fsType:
- description: fsType is the filesystem type
- to mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is the filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
readOnly:
- description: readOnly defaults to false
- (read/write). ReadOnly here will force
+ description: |-
+ readOnly defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
type: boolean
secretRef:
- description: secretRef specifies the secret
- to use for obtaining the StorageOS API
- credentials. If not specified, default
- values will be attempted.
+ description: |-
+ secretRef specifies the secret to use for obtaining the StorageOS API
+ credentials. If not specified, default values will be attempted.
properties:
name:
- description: 'Name of the referent.
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
- TODO: Add other useful fields. apiVersion,
- kind, uid?'
type: string
type: object
x-kubernetes-map-type: atomic
volumeName:
- description: volumeName is the human-readable
- name of the StorageOS volume. Volume
+ description: |-
+ volumeName is the human-readable name of the StorageOS volume. Volume
names are only unique within a namespace.
type: string
volumeNamespace:
- description: volumeNamespace specifies the
- scope of the volume within StorageOS. If
- no namespace is specified then the Pod's
- namespace will be used. This allows the
- Kubernetes name scoping to be mirrored
- within StorageOS for tighter integration.
- Set VolumeName to any name to override
- the default behaviour. Set to "default"
- if you are not using namespaces within
- StorageOS. Namespaces that do not pre-exist
- within StorageOS will be created.
+ description: |-
+ volumeNamespace specifies the scope of the volume within StorageOS. If no
+ namespace is specified then the Pod's namespace will be used. This allows the
+ Kubernetes name scoping to be mirrored within StorageOS for tighter integration.
+ Set VolumeName to any name to override the default behaviour.
+ Set to "default" if you are not using namespaces within StorageOS.
+ Namespaces that do not pre-exist within StorageOS will be created.
type: string
type: object
vsphereVolume:
@@ -5767,11 +9398,10 @@ spec:
machine
properties:
fsType:
- description: fsType is filesystem type to
- mount. Must be a filesystem type supported
- by the host operating system. Ex. "ext4",
- "xfs", "ntfs". Implicitly inferred to
- be "ext4" if unspecified.
+ description: |-
+ fsType is filesystem type to mount.
+ Must be a filesystem type supported by the host operating system.
+ Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.
type: string
storagePolicyID:
description: storagePolicyID is the storage
@@ -5805,49 +9435,42 @@ spec:
existing pods with new ones.
properties:
rollingUpdate:
- description: 'Rolling update config params. Present
- only if DeploymentStrategyType = RollingUpdate.
- --- TODO: Update this to follow our convention for
- oneOf, whatever we decide it to be.'
+ description: |-
+ Rolling update config params. Present only if DeploymentStrategyType =
+ RollingUpdate.
properties:
maxSurge:
anyOf:
- type: integer
- type: string
- description: 'The maximum number of pods that
- can be scheduled above the desired number of
- pods. Value can be an absolute number (ex: 5)
- or a percentage of desired pods (ex: 10%). This
- can not be 0 if MaxUnavailable is 0. Absolute
- number is calculated from percentage by rounding
- up. Defaults to 25%. Example: when this is set
- to 30%, the new ReplicaSet can be scaled up
- immediately when the rolling update starts,
- such that the total number of old and new pods
- do not exceed 130% of desired pods. Once old
- pods have been killed, new ReplicaSet can be
- scaled up further, ensuring that total number
- of pods running at any time during the update
- is at most 130% of desired pods.'
+ description: |-
+ The maximum number of pods that can be scheduled above the desired number of
+ pods.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ This can not be 0 if MaxUnavailable is 0.
+ Absolute number is calculated from percentage by rounding up.
+ Defaults to 25%.
+ Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when
+ the rolling update starts, such that the total number of old and new pods do not exceed
+ 130% of desired pods. Once old pods have been killed,
+ new ReplicaSet can be scaled up further, ensuring that total number of pods running
+ at any time during the update is at most 130% of desired pods.
x-kubernetes-int-or-string: true
maxUnavailable:
anyOf:
- type: integer
- type: string
- description: 'The maximum number of pods that
- can be unavailable during the update. Value
- can be an absolute number (ex: 5) or a percentage
- of desired pods (ex: 10%). Absolute number is
- calculated from percentage by rounding down.
- This can not be 0 if MaxSurge is 0. Defaults
- to 25%. Example: when this is set to 30%, the
- old ReplicaSet can be scaled down to 70% of
- desired pods immediately when the rolling update
- starts. Once new pods are ready, old ReplicaSet
- can be scaled down further, followed by scaling
- up the new ReplicaSet, ensuring that the total
- number of pods available at all times during
- the update is at least 70% of desired pods.'
+ description: |-
+ The maximum number of pods that can be unavailable during the update.
+ Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
+ Absolute number is calculated from percentage by rounding down.
+ This can not be 0 if MaxSurge is 0.
+ Defaults to 25%.
+ Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods
+ immediately when the rolling update starts. Once new pods are ready, old ReplicaSet
+ can be scaled down further, followed by scaling up the new ReplicaSet, ensuring
+ that the total number of pods available at all times during the update is at
+ least 70% of desired pods.
x-kubernetes-int-or-string: true
type: object
type:
@@ -5857,40 +9480,37 @@ spec:
type: object
type: object
envoyHpa:
- description: EnvoyHpa defines the Horizontal Pod Autoscaler
- settings for Envoy Proxy Deployment. Once the HPA is being
- set, Replicas field from EnvoyDeployment will be ignored.
+ description: |-
+ EnvoyHpa defines the Horizontal Pod Autoscaler settings for Envoy Proxy Deployment.
+ Once the HPA is being set, Replicas field from EnvoyDeployment will be ignored.
properties:
behavior:
- description: behavior configures the scaling behavior
- of the target in both Up and Down directions (scaleUp
- and scaleDown fields respectively). If not set, the
- default HPAScalingRules for scale up and scale down
- are used. See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior.
+ description: |-
+ behavior configures the scaling behavior of the target
+ in both Up and Down directions (scaleUp and scaleDown fields respectively).
+ If not set, the default HPAScalingRules for scale up and scale down are used.
+ See k8s.io.autoscaling.v2.HorizontalPodAutoScalerBehavior.
properties:
scaleDown:
- description: scaleDown is scaling policy for scaling
- Down. If not set, the default value is to allow
- to scale down to minReplicas pods, with a 300 second
- stabilization window (i.e., the highest recommendation
- for the last 300sec is used).
+ description: |-
+ scaleDown is scaling policy for scaling Down.
+ If not set, the default value is to allow to scale down to minReplicas pods, with a
+ 300 second stabilization window (i.e., the highest recommendation for
+ the last 300sec is used).
properties:
policies:
- description: policies is a list of potential scaling
- polices which can be used during scaling. At
- least one policy must be specified, otherwise
- the HPAScalingRules will be discarded as invalid
+ description: |-
+ policies is a list of potential scaling polices which can be used during scaling.
+ At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past
interval.
properties:
periodSeconds:
- description: periodSeconds specifies the
- window of time for which the policy should
- hold true. PeriodSeconds must be greater
- than zero and less than or equal to 1800
- (30 min).
+ description: |-
+ periodSeconds specifies the window of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
format: int32
type: integer
type:
@@ -5898,8 +9518,8 @@ spec:
scaling policy.
type: string
value:
- description: value contains the amount of
- change which is permitted by the policy.
+ description: |-
+ value contains the amount of change which is permitted by the policy.
It must be greater than zero
format: int32
type: integer
@@ -5911,46 +9531,42 @@ spec:
type: array
x-kubernetes-list-type: atomic
selectPolicy:
- description: selectPolicy is used to specify which
- policy should be used. If not set, the default
- value Max is used.
+ description: |-
+ selectPolicy is used to specify which policy should be used.
+ If not set, the default value Max is used.
type: string
stabilizationWindowSeconds:
- description: 'stabilizationWindowSeconds is the
- number of seconds for which past recommendations
- should be considered while scaling up or scaling
- down. StabilizationWindowSeconds must be greater
- than or equal to zero and less than or equal
- to 3600 (one hour). If not set, use the default
- values: - For scale up: 0 (i.e. no stabilization
- is done). - For scale down: 300 (i.e. the stabilization
- window is 300 seconds long).'
+ description: |-
+ stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+ considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+ If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
format: int32
type: integer
type: object
scaleUp:
- description: 'scaleUp is scaling policy for scaling
- Up. If not set, the default value is the higher
- of: * increase no more than 4 pods per 60 seconds
- * double the number of pods per 60 seconds No stabilization
- is used.'
+ description: |-
+ scaleUp is scaling policy for scaling Up.
+ If not set, the default value is the higher of:
+ * increase no more than 4 pods per 60 seconds
+ * double the number of pods per 60 seconds
+ No stabilization is used.
properties:
policies:
- description: policies is a list of potential scaling
- polices which can be used during scaling. At
- least one policy must be specified, otherwise
- the HPAScalingRules will be discarded as invalid
+ description: |-
+ policies is a list of potential scaling polices which can be used during scaling.
+ At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid
items:
description: HPAScalingPolicy is a single policy
which must hold true for a specified past
interval.
properties:
periodSeconds:
- description: periodSeconds specifies the
- window of time for which the policy should
- hold true. PeriodSeconds must be greater
- than zero and less than or equal to 1800
- (30 min).
+ description: |-
+ periodSeconds specifies the window of time for which the policy should hold true.
+ PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min).
format: int32
type: integer
type:
@@ -5958,8 +9574,8 @@ spec:
scaling policy.
type: string
value:
- description: value contains the amount of
- change which is permitted by the policy.
+ description: |-
+ value contains the amount of change which is permitted by the policy.
It must be greater than zero
format: int32
type: integer
@@ -5971,55 +9587,50 @@ spec:
type: array
x-kubernetes-list-type: atomic
selectPolicy:
- description: selectPolicy is used to specify which
- policy should be used. If not set, the default
- value Max is used.
+ description: |-
+ selectPolicy is used to specify which policy should be used.
+ If not set, the default value Max is used.
type: string
stabilizationWindowSeconds:
- description: 'stabilizationWindowSeconds is the
- number of seconds for which past recommendations
- should be considered while scaling up or scaling
- down. StabilizationWindowSeconds must be greater
- than or equal to zero and less than or equal
- to 3600 (one hour). If not set, use the default
- values: - For scale up: 0 (i.e. no stabilization
- is done). - For scale down: 300 (i.e. the stabilization
- window is 300 seconds long).'
+ description: |-
+ stabilizationWindowSeconds is the number of seconds for which past recommendations should be
+ considered while scaling up or scaling down.
+ StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour).
+ If not set, use the default values:
+ - For scale up: 0 (i.e. no stabilization is done).
+ - For scale down: 300 (i.e. the stabilization window is 300 seconds long).
format: int32
type: integer
type: object
type: object
maxReplicas:
- description: maxReplicas is the upper limit for the number
- of replicas to which the autoscaler can scale up. It
- cannot be less that minReplicas.
+ description: |-
+ maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+ It cannot be less that minReplicas.
format: int32
type: integer
x-kubernetes-validations:
- message: maxReplicas must be greater than 0
rule: self > 0
metrics:
- description: metrics contains the specifications for which
- to use to calculate the desired replica count (the maximum
- replica count across all metrics will be used). If left
- empty, it defaults to being based on CPU utilization
- with average on 80% usage.
+ description: |-
+ metrics contains the specifications for which to use to calculate the
+ desired replica count (the maximum replica count across all metrics will
+ be used).
+ If left empty, it defaults to being based on CPU utilization with average on 80% usage.
items:
- description: MetricSpec specifies how to scale based
- on a single metric (only `type` and one other matching
- field should be set at once).
+ description: |-
+ MetricSpec specifies how to scale based on a single metric
+ (only `type` and one other matching field should be set at once).
properties:
containerResource:
- description: containerResource refers to a resource
- metric (such as those specified in requests and
- limits) known to Kubernetes describing a single
- container in each pod of the current scale target
- (e.g. CPU or memory). Such metrics are built in
- to Kubernetes, and have special scaling options
- on top of those available to normal per-pod metrics
- using the "pods" source. This is an alpha feature
- and can be enabled by the HPAContainerMetrics
- feature flag.
+ description: |-
+ containerResource refers to a resource metric (such as those specified in
+ requests and limits) known to Kubernetes describing a single container in
+ each pod of the current scale target (e.g. CPU or memory). Such metrics are
+ built in to Kubernetes, and have special scaling options on top of those
+ available to normal per-pod metrics using the "pods" source.
+ This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag.
properties:
container:
description: container is the name of the container
@@ -6034,22 +9645,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6074,12 +9683,12 @@ spec:
- target
type: object
external:
- description: external refers to a global metric
- that is not associated with any Kubernetes object.
- It allows autoscaling based on information coming
- from components running outside of cluster (for
- example length of queue in cloud messaging service,
- or QPS from loadbalancer running outside of cluster).
+ description: |-
+ external refers to a global metric that is not associated
+ with any Kubernetes object. It allows autoscaling based on information
+ coming from components running outside of cluster
+ (for example length of queue in cloud messaging service, or
+ QPS from loadbalancer running outside of cluster).
properties:
metric:
description: metric identifies the target metric
@@ -6090,23 +9699,19 @@ spec:
metric
type: string
selector:
- description: selector is the string-encoded
- form of a standard kubernetes label selector
- for the given metric When set, it is passed
- as an additional parameter to the metrics
- server for more specific metrics scoping.
- When unset, just the metricName will be
- used to gather metrics.
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -6114,39 +9719,33 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty.
- This array is replaced during
- a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of
- {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are
- ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6158,22 +9757,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6197,9 +9794,9 @@ spec:
- target
type: object
object:
- description: object refers to a metric describing
- a single kubernetes object (for example, hits-per-second
- on an Ingress object).
+ description: |-
+ object refers to a metric describing a single kubernetes object
+ (for example, hits-per-second on an Ingress object).
properties:
describedObject:
description: describedObject specifies the descriptions
@@ -6230,23 +9827,19 @@ spec:
metric
type: string
selector:
- description: selector is the string-encoded
- form of a standard kubernetes label selector
- for the given metric When set, it is passed
- as an additional parameter to the metrics
- server for more specific metrics scoping.
- When unset, just the metricName will be
- used to gather metrics.
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -6254,39 +9847,33 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty.
- This array is replaced during
- a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of
- {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are
- ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6298,22 +9885,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6338,11 +9923,10 @@ spec:
- target
type: object
pods:
- description: pods refers to a metric describing
- each pod in the current scale target (for example,
- transactions-processed-per-second). The values
- will be averaged together before being compared
- to the target value.
+ description: |-
+ pods refers to a metric describing each pod in the current scale target
+ (for example, transactions-processed-per-second). The values will be
+ averaged together before being compared to the target value.
properties:
metric:
description: metric identifies the target metric
@@ -6353,23 +9937,19 @@ spec:
metric
type: string
selector:
- description: selector is the string-encoded
- form of a standard kubernetes label selector
- for the given metric When set, it is passed
- as an additional parameter to the metrics
- server for more specific metrics scoping.
- When unset, just the metricName will be
- used to gather metrics.
+ description: |-
+ selector is the string-encoded form of a standard kubernetes label selector for the given metric
+ When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping.
+ When unset, just the metricName will be used to gather metrics.
properties:
matchExpressions:
description: matchExpressions is a list
of label selector requirements. The
requirements are ANDed.
items:
- description: A label selector requirement
- is a selector that contains values,
- a key, and an operator that relates
- the key and values.
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
properties:
key:
description: key is the label
@@ -6377,39 +9957,33 @@ spec:
to.
type: string
operator:
- description: operator represents
- a key's relationship to a set
- of values. Valid operators are
- In, NotIn, Exists and DoesNotExist.
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
- description: values is an array
- of string values. If the operator
- is In or NotIn, the values array
- must be non-empty. If the operator
- is Exists or DoesNotExist, the
- values array must be empty.
- This array is replaced during
- a strategic merge patch.
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
items:
type: string
type: array
+ x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
+ x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
- description: matchLabels is a map of
- {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent
- to an element of matchExpressions,
- whose key field is "key", the operator
- is "In", and the values array contains
- only "value". The requirements are
- ANDed.
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
@@ -6421,22 +9995,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6460,13 +10032,12 @@ spec:
- target
type: object
resource:
- description: resource refers to a resource metric
- (such as those specified in requests and limits)
- known to Kubernetes describing each pod in the
- current scale target (e.g. CPU or memory). Such
- metrics are built in to Kubernetes, and have special
- scaling options on top of those available to normal
- per-pod metrics using the "pods" source.
+ description: |-
+ resource refers to a resource metric (such as those specified in
+ requests and limits) known to Kubernetes describing each pod in the
+ current scale target (e.g. CPU or memory). Such metrics are built in to
+ Kubernetes, and have special scaling options on top of those available
+ to normal per-pod metrics using the "pods" source.
properties:
name:
description: name is the name of the resource
@@ -6477,22 +10048,20 @@ spec:
for the given metric
properties:
averageUtilization:
- description: averageUtilization is the target
- value of the average of the resource metric
- across all relevant pods, represented
- as a percentage of the requested value
- of the resource for the pods. Currently
- only valid for Resource metric source
- type
+ description: |-
+ averageUtilization is the target value of the average of the
+ resource metric across all relevant pods, represented as a percentage of
+ the requested value of the resource for the pods.
+ Currently only valid for Resource metric source type
format: int32
type: integer
averageValue:
anyOf:
- type: integer
- type: string
- description: averageValue is the target
- value of the average of the metric across
- all relevant pods (as a quantity)
+ description: |-
+ averageValue is the target value of the average of the
+ metric across all relevant pods (as a quantity)
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
type:
@@ -6516,21 +10085,20 @@ spec:
- target
type: object
type:
- description: 'type is the type of metric source. It
- should be one of "ContainerResource", "External",
- "Object", "Pods" or "Resource", each mapping to
- a matching field in the object. Note: "ContainerResource"
- type is available on when the feature-gate HPAContainerMetrics
- is enabled'
+ description: |-
+ type is the type of metric source. It should be one of "ContainerResource", "External",
+ "Object", "Pods" or "Resource", each mapping to a matching field in the object.
+ Note: "ContainerResource" type is available on when the feature-gate
+ HPAContainerMetrics is enabled
type: string
required:
- type
type: object
type: array
minReplicas:
- description: minReplicas is the lower limit for the number
- of replicas to which the autoscaler can scale down.
- It defaults to 1 replica.
+ description: |-
+ minReplicas is the lower limit for the number of replicas to which the autoscaler
+ can scale down. It defaults to 1 replica.
format: int32
type: integer
x-kubernetes-validations:
@@ -6542,65 +10110,95 @@ spec:
x-kubernetes-validations:
- message: maxReplicas cannot be less than minReplicas
rule: '!has(self.minReplicas) || self.maxReplicas >= self.minReplicas'
+ envoyPDB:
+ description: EnvoyPDB allows to control the pod disruption
+ budget of an Envoy Proxy.
+ properties:
+ minAvailable:
+ description: |-
+ MinAvailable specifies the minimum number of pods that must be available at all times during voluntary disruptions,
+ such as node drains or updates. This setting ensures that your envoy proxy maintains a certain level of availability
+ and resilience during maintenance operations.
+ format: int32
+ type: integer
+ type: object
envoyService:
- description: EnvoyService defines the desired state of the
- Envoy service resource. If unspecified, default settings
- for the managed Envoy service resource are applied.
+ description: |-
+ EnvoyService defines the desired state of the Envoy service resource.
+ If unspecified, default settings for the managed Envoy service resource
+ are applied.
properties:
allocateLoadBalancerNodePorts:
- description: AllocateLoadBalancerNodePorts defines if
- NodePorts will be automatically allocated for services
- with type LoadBalancer. Default is "true". It may be
- set to "false" if the cluster load-balancer does not
- rely on NodePorts. If the caller requests specific NodePorts
- (by specifying a value), those requests will be respected,
- regardless of this field. This field may only be set
- for services with type LoadBalancer and will be cleared
- if the type is changed to any other type.
+ description: |-
+ AllocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for
+ services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster
+ load-balancer does not rely on NodePorts. If the caller requests specific NodePorts (by specifying a
+ value), those requests will be respected, regardless of this field. This field may only be set for
+ services with type LoadBalancer and will be cleared if the type is changed to any other type.
type: boolean
annotations:
additionalProperties:
type: string
- description: Annotations that should be appended to the
- service. By default, no annotations are appended.
+ description: |-
+ Annotations that should be appended to the service.
+ By default, no annotations are appended.
type: object
externalTrafficPolicy:
default: Local
- description: ExternalTrafficPolicy determines the externalTrafficPolicy
- for the Envoy Service. Valid options are Local and Cluster.
- Default is "Local". "Local" means traffic will only
- go to pods on the node receiving the traffic. "Cluster"
- means connections are loadbalanced to all pods in the
- cluster.
+ description: |-
+ ExternalTrafficPolicy determines the externalTrafficPolicy for the Envoy Service. Valid options
+ are Local and Cluster. Default is "Local". "Local" means traffic will only go to pods on the node
+ receiving the traffic. "Cluster" means connections are loadbalanced to all pods in the cluster.
enum:
- Local
- Cluster
type: string
+ labels:
+ additionalProperties:
+ type: string
+ description: |-
+ Labels that should be appended to the service.
+ By default, no labels are appended.
+ type: object
loadBalancerClass:
- description: LoadBalancerClass, when specified, allows
- for choosing the LoadBalancer provider implementation
- if more than one are available or is otherwise expected
- to be specified
+ description: |-
+ LoadBalancerClass, when specified, allows for choosing the LoadBalancer provider
+ implementation if more than one are available or is otherwise expected to be specified
type: string
loadBalancerIP:
- description: LoadBalancerIP defines the IP Address of
- the underlying load balancer service. This field may
- be ignored if the load balancer provider does not support
- this feature. This field has been deprecated in Kubernetes,
- but it is still used for setting the IP Address in some
- cloud providers such as GCP.
+ description: |-
+ LoadBalancerIP defines the IP Address of the underlying load balancer service. This field
+ may be ignored if the load balancer provider does not support this feature.
+ This field has been deprecated in Kubernetes, but it is still used for setting the IP Address in some cloud
+ providers such as GCP.
type: string
x-kubernetes-validations:
- message: loadBalancerIP must be a valid IPv4 address
rule: self.matches(r"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
+ loadBalancerSourceRanges:
+ description: |-
+ LoadBalancerSourceRanges defines a list of allowed IP addresses which will be configured as
+ firewall rules on the platform providers load balancer. This is not guaranteed to be working as
+ it happens outside of kubernetes and has to be supported and handled by the platform provider.
+ This field may only be set for services with type LoadBalancer and will be cleared if the type
+ is changed to any other type.
+ items:
+ type: string
+ type: array
+ name:
+ description: |-
+ Name of the service.
+ When unset, this defaults to an autogenerated name.
+ type: string
patch:
description: Patch defines how to perform the patch operation
to the service
properties:
type:
- description: "Type is the type of merge operation
- to perform \n By default, StrategicMerge is used
- as the patch type."
+ description: |-
+ Type is the type of merge operation to perform
+
+ By default, StrategicMerge is used as the patch type.
type: string
value:
description: Object contains the raw configuration
@@ -6611,14 +10209,12 @@ spec:
type: object
type:
default: LoadBalancer
- description: Type determines how the Service is exposed.
- Defaults to LoadBalancer. Valid options are ClusterIP,
- LoadBalancer and NodePort. "LoadBalancer" means a service
- will be exposed via an external load balancer (if the
- cloud provider supports it). "ClusterIP" means a service
- will only be accessible inside the cluster, via the
- cluster IP. "NodePort" means a service will be exposed
- on a static Port on all Nodes of the cluster.
+ description: |-
+ Type determines how the Service is exposed. Defaults to LoadBalancer.
+ Valid options are ClusterIP, LoadBalancer and NodePort.
+ "LoadBalancer" means a service will be exposed via an external load balancer (if the cloud provider supports it).
+ "ClusterIP" means a service will only be accessible inside the cluster, via the cluster IP.
+ "NodePort" means a service will be exposed on a static Port on all Nodes of the cluster.
enum:
- ClusterIP
- LoadBalancer
@@ -6630,73 +10226,100 @@ spec:
LoadBalancer type
rule: '!has(self.allocateLoadBalancerNodePorts) || self.type
== ''LoadBalancer'''
+ - message: loadBalancerSourceRanges can only be set for LoadBalancer
+ type
+ rule: '!has(self.loadBalancerSourceRanges) || self.type
+ == ''LoadBalancer'''
- message: loadBalancerIP can only be set for LoadBalancer
type
rule: '!has(self.loadBalancerIP) || self.type == ''LoadBalancer'''
+ useListenerPortAsContainerPort:
+ description: |-
+ UseListenerPortAsContainerPort disables the port shifting feature in the Envoy Proxy.
+ When set to false (default value), if the service port is a privileged port (1-1023), add a constant to the value converting it into an ephemeral port.
+ This allows the container to bind to the port without needing a CAP_NET_BIND_SERVICE capability.
+ type: boolean
type: object
+ x-kubernetes-validations:
+ - message: only one of envoyDeployment or envoyDaemonSet can be
+ specified
+ rule: ((has(self.envoyDeployment) && !has(self.envoyDaemonSet))
+ || (!has(self.envoyDeployment) && has(self.envoyDaemonSet)))
+ || (!has(self.envoyDeployment) && !has(self.envoyDaemonSet))
+ - message: cannot use envoyHpa if envoyDaemonSet is used
+ rule: ((has(self.envoyHpa) && !has(self.envoyDaemonSet)) ||
+ (!has(self.envoyHpa) && has(self.envoyDaemonSet))) || (!has(self.envoyHpa)
+ && !has(self.envoyDaemonSet))
type:
- description: Type is the type of resource provider to use. A resource
- provider provides infrastructure resources for running the data
- plane, e.g. Envoy proxy, and optional auxiliary control planes.
- Supported types are "Kubernetes".
+ description: |-
+ Type is the type of resource provider to use. A resource provider provides
+ infrastructure resources for running the data plane, e.g. Envoy proxy, and
+ optional auxiliary control planes. Supported types are "Kubernetes".
enum:
- Kubernetes
+ - Custom
type: string
required:
- type
type: object
+ routingType:
+ description: |-
+ RoutingType can be set to "Service" to use the Service Cluster IP for routing to the backend,
+ or it can be set to "Endpoint" to use Endpoint routing. The default is "Endpoint".
+ type: string
shutdown:
description: Shutdown defines configuration for graceful envoy shutdown
process.
properties:
drainTimeout:
- description: DrainTimeout defines the graceful drain timeout.
- This should be less than the pod's terminationGracePeriodSeconds.
- If unspecified, defaults to 600 seconds.
+ description: |-
+ DrainTimeout defines the graceful drain timeout. This should be less than the pod's terminationGracePeriodSeconds.
+ If unspecified, defaults to 60 seconds.
type: string
minDrainDuration:
- description: MinDrainDuration defines the minimum drain duration
- allowing time for endpoint deprogramming to complete. If unspecified,
- defaults to 5 seconds.
+ description: |-
+ MinDrainDuration defines the minimum drain duration allowing time for endpoint deprogramming to complete.
+ If unspecified, defaults to 10 seconds.
type: string
type: object
telemetry:
description: Telemetry defines telemetry parameters for managed proxies.
properties:
accessLog:
- description: AccessLogs defines accesslog parameters for managed
- proxies. If unspecified, will send default format to stdout.
+ description: |-
+ AccessLogs defines accesslog parameters for managed proxies.
+ If unspecified, will send default format to stdout.
properties:
disable:
description: Disable disables access logging for managed proxies
if set to true.
type: boolean
settings:
- description: Settings defines accesslog settings for managed
- proxies. If unspecified, will send default format to stdout.
+ description: |-
+ Settings defines accesslog settings for managed proxies.
+ If unspecified, will send default format to stdout.
items:
properties:
format:
- description: Format defines the format of accesslog.
+ description: |-
+ Format defines the format of accesslog.
+ This will be ignored if sink type is ALS.
properties:
json:
additionalProperties:
type: string
- description: JSON is additional attributes that
- describe the specific event occurrence. Structured
- format for the envoy access logs. Envoy [command
- operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
+ description: |-
+ JSON is additional attributes that describe the specific event occurrence.
+ Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
can be used as values for fields within the Struct.
It's required when the format type is "JSON".
type: object
text:
- description: Text defines the text accesslog format,
- following Envoy accesslog formatting, It's required
- when the format type is "Text". Envoy [command
- operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
- may be used in the format. The [format string
- documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
- provides more information.
+ description: |-
+ Text defines the text accesslog format, following Envoy accesslog formatting,
+ It's required when the format type is "Text".
+ Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format.
+ The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information.
type: string
type:
description: Type defines the type of accesslog
@@ -6713,12 +10336,989 @@ spec:
- message: If AccessLogFormat type is JSON, json field
needs to be set.
rule: 'self.type == ''JSON'' ? has(self.json) : !has(self.json)'
+ matches:
+ description: |-
+ Matches defines the match conditions for accesslog in CEL expression.
+ An accesslog will be emitted only when one or more match conditions are evaluated to true.
+ Invalid [CEL](https://www.envoyproxy.io/docs/envoy/latest/xds/type/v3/cel.proto.html#common-expression-language-cel-proto) expressions will be ignored.
+ items:
+ type: string
+ maxItems: 10
+ type: array
sinks:
description: Sinks defines the sinks of accesslog.
items:
description: ProxyAccessLogSink defines the sink of
accesslog.
properties:
+ als:
+ description: ALS defines the gRPC Access Log Service
+ (ALS) sink.
+ properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the
+ referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of
+ connections that Envoy will establish
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of
+ parallel requests that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of
+ parallel retries that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of
+ pending requests that Envoy will
+ queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend
+ connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution
+ settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway
+ to perform active health checking on
+ backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold
+ defines the number of healthy
+ health checks required before
+ a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse
+ defines a list of HTTP expected
+ responses to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus
+ defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines
+ the HTTP path that will
+ be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between active health
+ checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines
+ the expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines
+ the request payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the
+ time to wait for a health check
+ response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the
+ type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold
+ defines the number of unhealthy
+ health checks required before
+ a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type
+ is HTTP, http field needs to be
+ set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type
+ is TCP, tcp field needs to be
+ set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only
+ be set if the Health Checker type
+ is GRPC.
+ rule: 'has(self.grpc) ? self.type
+ == ''GRPC'' : true'
+ passive:
+ description: Passive passive check
+ configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime
+ defines the base duration for
+ which a host will be ejected
+ on consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors
+ sets the number of consecutive
+ 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive
+ gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between passive health
+ checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent
+ sets the maximum percentage
+ of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors
+ between external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures
+ the cookie hash policy when
+ the consistent hash type is
+ set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures
+ the header hash policy when
+ the consistent hash type is
+ set to Header.
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for
+ consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type
+ is header, the header field must
+ be set.
+ rule: 'self.type == ''Header'' ?
+ has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is cookie, the cookie field must
+ be set.
+ rule: 'self.type == ''Cookie'' ?
+ has(self.cookie) : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash''
+ ? has(self.consistentHash) : !has(self.consistentHash)'
+ - message: Currently SlowStart is only
+ supported for RoundRobin and LeastRequest
+ load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the
+ Proxy Protocol when communicating with
+ the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number
+ of retries to be attempted. Defaults
+ to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry
+ policy to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval
+ is the base interval between
+ retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies
+ the retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger
+ retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the
+ backend connections.
+ properties:
+ http:
+ description: Timeout settings for
+ HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is
+ the time until which entire
+ response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for
+ TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
+ http:
+ description: HTTP defines additional configuration
+ specific to HTTP access logs.
+ properties:
+ requestHeaders:
+ description: RequestHeaders defines request
+ headers to include in log entries sent
+ to the access log service.
+ items:
+ type: string
+ type: array
+ responseHeaders:
+ description: ResponseHeaders defines response
+ headers to include in log entries sent
+ to the access log service.
+ items:
+ type: string
+ type: array
+ responseTrailers:
+ description: ResponseTrailers defines
+ response trailers to include in log
+ entries sent to the access log service.
+ items:
+ type: string
+ type: array
+ type: object
+ logName:
+ description: |-
+ LogName defines the friendly name of the access log to be returned in
+ StreamAccessLogsMessage.Identifier. This allows the access log server
+ to differentiate between different access logs coming from the same Envoy.
+ minLength: 1
+ type: string
+ type:
+ description: Type defines the type of accesslog.
+ Supported types are "HTTP" and "TCP".
+ enum:
+ - HTTP
+ - TCP
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: The http field may only be set when
+ type is HTTP.
+ rule: self.type == 'HTTP' || !has(self.http)
+ - message: BackendRefs must be used, backendRef
+ is not supported.
+ rule: '!has(self.backendRef)'
+ - message: must have at least one backend in backendRefs
+ rule: has(self.backendRefs) && self.backendRefs.size()
+ > 0
+ - message: BackendRefs only supports Service kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
+ f.kind == ''Service'') : true'
+ - message: BackendRefs only supports Core group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "")) : true'
file:
description: File defines the file accesslog sink.
properties:
@@ -6732,37 +11332,958 @@ spec:
description: OpenTelemetry defines the OpenTelemetry
accesslog sink.
properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the
+ referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind
+ == ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of
+ connections that Envoy will establish
+ to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of
+ parallel requests that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of
+ parallel retries that Envoy will
+ make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of
+ pending requests that Envoy will
+ queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend
+ connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution
+ settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway
+ to perform active health checking on
+ backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold
+ defines the number of healthy
+ health checks required before
+ a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse
+ defines a list of HTTP expected
+ responses to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus
+ defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines
+ the HTTP path that will
+ be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between active health
+ checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines
+ the expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines
+ the request payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload
+ in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines
+ the type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type
+ is Text, text field needs
+ to be set.
+ rule: 'self.type == ''Text''
+ ? has(self.text) : !has(self.text)'
+ - message: If payload type
+ is Binary, binary field
+ needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the
+ time to wait for a health check
+ response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the
+ type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold
+ defines the number of unhealthy
+ health checks required before
+ a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type
+ is HTTP, http field needs to be
+ set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type
+ is TCP, tcp field needs to be
+ set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only
+ be set if the Health Checker type
+ is GRPC.
+ rule: 'has(self.grpc) ? self.type
+ == ''GRPC'' : true'
+ passive:
+ description: Passive passive check
+ configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime
+ defines the base duration for
+ which a host will be ejected
+ on consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors
+ sets the number of consecutive
+ 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive
+ gateway errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines
+ the time between passive health
+ checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent
+ sets the maximum percentage
+ of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors
+ between external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures
+ the cookie hash policy when
+ the consistent hash type is
+ set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated
+ cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures
+ the header hash policy when
+ the consistent hash type is
+ set to Header.
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for
+ consistent hashing, must be
+ prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type
+ is header, the header field must
+ be set.
+ rule: 'self.type == ''Header'' ?
+ has(self.header) : !has(self.header)'
+ - message: If consistent hash type
+ is cookie, the cookie field must
+ be set.
+ rule: 'self.type == ''Cookie'' ?
+ has(self.cookie) : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash''
+ ? has(self.consistentHash) : !has(self.consistentHash)'
+ - message: Currently SlowStart is only
+ supported for RoundRobin and LeastRequest
+ load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the
+ Proxy Protocol when communicating with
+ the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number
+ of retries to be attempted. Defaults
+ to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry
+ policy to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval
+ is the base interval between
+ retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies
+ the retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger
+ retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the
+ backend connections.
+ properties:
+ http:
+ description: Timeout settings for
+ HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is
+ the time until which entire
+ response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for
+ TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
host:
- description: Host define the extension service
- hostname.
+ description: |-
+ Host define the extension service hostname.
+ Deprecated: Use BackendRefs instead.
type: string
port:
default: 4317
- description: Port defines the port the extension
- service is exposed on.
+ description: |-
+ Port defines the port the extension service is exposed on.
+ Deprecated: Use BackendRefs instead.
format: int32
minimum: 0
type: integer
resources:
additionalProperties:
type: string
- description: Resources is a set of labels
- that describe the source of a log entry,
- including envoy node info. It's recommended
- to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
+ description: |-
+ Resources is a set of labels that describe the source of a log entry, including envoy node info.
+ It's recommended to follow [semantic conventions](https://opentelemetry.io/docs/reference/specification/resource/semantic_conventions/).
type: object
- required:
- - host
type: object
+ x-kubernetes-validations:
+ - message: host or backendRefs needs to be set
+ rule: has(self.host) || self.backendRefs.size()
+ > 0
+ - message: BackendRefs must be used, backendRef
+ is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only supports Service kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
+ f.kind == ''Service'') : true'
+ - message: BackendRefs only supports Core group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "")) : true'
type:
description: Type defines the type of accesslog
sink.
enum:
+ - ALS
- File
- OpenTelemetry
type: string
type: object
x-kubernetes-validations:
+ - message: If AccessLogSink type is ALS, als field
+ needs to be set.
+ rule: 'self.type == ''ALS'' ? has(self.als) : !has(self.als)'
- message: If AccessLogSink type is File, file field
needs to be set.
rule: 'self.type == ''File'' ? has(self.file) :
@@ -6771,36 +12292,58 @@ spec:
openTelemetry field needs to be set.
rule: 'self.type == ''OpenTelemetry'' ? has(self.openTelemetry)
: !has(self.openTelemetry)'
+ maxItems: 50
minItems: 1
type: array
+ type:
+ description: |-
+ Type defines the component emitting the accesslog, such as Listener and Route.
+ If type not defined, the setting would apply to:
+ (1) All Routes.
+ (2) Listeners if and only if Envoy does not find a matching route for a request.
+ If type is defined, the accesslog settings would apply to the relevant component (as-is).
+ enum:
+ - Listener
+ - Route
+ type: string
required:
- - format
- sinks
type: object
+ maxItems: 50
+ minItems: 1
type: array
type: object
metrics:
description: Metrics defines metrics configuration for managed
proxies.
properties:
+ enablePerEndpointStats:
+ description: |-
+ EnablePerEndpointStats enables per endpoint envoy stats metrics.
+ Please use with caution.
+ type: boolean
+ enableRequestResponseSizesStats:
+ description: EnableRequestResponseSizesStats enables publishing
+ of histograms tracking header and body sizes of requests
+ and responses.
+ type: boolean
enableVirtualHostStats:
description: EnableVirtualHostStats enables envoy stat metrics
for virtual hosts.
type: boolean
matches:
- description: 'Matches defines configuration for selecting
- specific metrics instead of generating all metrics stats
- that are enabled by default. This helps reduce CPU and memory
- overhead in Envoy, but eliminating some stats may after
- critical functionality. Here are the stats that we strongly
- recommend not disabling: `cluster_manager.warming_clusters`,
- `cluster..membership_total`,`cluster..membership_healthy`,
+ description: |-
+ Matches defines configuration for selecting specific metrics instead of generating all metrics stats
+ that are enabled by default. This helps reduce CPU and memory overhead in Envoy, but eliminating some stats
+ may after critical functionality. Here are the stats that we strongly recommend not disabling:
+ `cluster_manager.warming_clusters`, `cluster..membership_total`,`cluster..membership_healthy`,
`cluster..membership_degraded`,reference https://github.com/envoyproxy/envoy/issues/9856,
- https://github.com/envoyproxy/envoy/issues/14610'
+ https://github.com/envoyproxy/envoy/issues/14610
items:
- description: StringMatch defines how to match any strings.
- This is a general purpose match condition that can be
- used by other EG APIs that need to match against a string.
+ description: |-
+ StringMatch defines how to match any strings.
+ This is a general purpose match condition that can be used by other EG APIs
+ that need to match against a string.
properties:
type:
default: Exact
@@ -6825,6 +12368,24 @@ spec:
description: Prometheus defines the configuration for Admin
endpoint `/stats/prometheus`.
properties:
+ compression:
+ description: Configure the compression on Prometheus endpoint.
+ Compression is useful in situations when bandwidth is
+ scarce and large payloads can be effectively compressed
+ at the expense of higher CPU load.
+ properties:
+ gzip:
+ description: The configuration for GZIP compressor.
+ type: object
+ type:
+ description: CompressorType defines the compressor
+ type to use for compression.
+ enum:
+ - Gzip
+ type: string
+ required:
+ - type
+ type: object
disable:
description: Disable the Prometheus endpoint.
type: boolean
@@ -6833,32 +12394,917 @@ spec:
description: Sinks defines the metric sinks where metrics
are sent to.
items:
- description: ProxyMetricSink defines the sink of metrics.
+ description: |-
+ ProxyMetricSink defines the sink of metrics.
Default metrics sink is OpenTelemetry.
properties:
openTelemetry:
- description: OpenTelemetry defines the configuration
- for OpenTelemetry sink. It's required if the sink
- type is OpenTelemetry.
+ description: |-
+ OpenTelemetry defines the configuration for OpenTelemetry sink.
+ It's required if the sink type is OpenTelemetry.
properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind ==
+ ''Service'') ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind ==
+ ''Service'') ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections
+ that Envoy will establish to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel
+ requests that Envoy will make to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel
+ retries that Envoy will make to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending
+ requests that Envoy will queue to the
+ referenced backend defined within a xRoute
+ rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend connection
+ settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform
+ active health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines
+ the number of healthy health checks
+ required before a backend host is
+ marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines
+ a list of HTTP expected responses
+ to match.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in
+ plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the
+ type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ?
+ has(self.text) : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines
+ the http status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP
+ path that will be requested during
+ health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines the time
+ between active health checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the
+ expected response payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in
+ plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the
+ type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ?
+ has(self.text) : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ send:
+ description: Send defines the request
+ payload.
+ properties:
+ binary:
+ description: Binary payload
+ base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in
+ plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the
+ type of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text,
+ text field needs to be set.
+ rule: 'self.type == ''Text'' ?
+ has(self.text) : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary''
+ ? has(self.binary) : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time
+ to wait for a health check response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of
+ health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines
+ the number of unhealthy health checks
+ required before a backend host is
+ marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP,
+ http field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type is TCP,
+ tcp field needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only be set
+ if the Health Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC''
+ : true'
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines
+ the base duration for which a host
+ will be ejected on consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets
+ the number of consecutive 5xx errors
+ triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors
+ sets the number of consecutive gateway
+ errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time
+ between passive health checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets
+ the maximum percentage of hosts in
+ a cluster that can be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors between
+ external and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration
+ for backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie
+ hash policy when the consistent hash
+ type is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes
+ to set for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header
+ hash policy when the consistent hash
+ type is set to Header.
+ properties:
+ name:
+ description: Name of the header
+ to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent
+ hashing, must be prime number limited
+ to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header,
+ the header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is cookie,
+ the cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported
+ for RoundRobin and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy
+ Protocol when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number of
+ retries to be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy
+ to be applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the
+ base interval between retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout
+ per retry attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the
+ http status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the
+ retry trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies
+ the conditions that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend
+ connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time
+ until which entire response is received
+ from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
host:
- description: Host define the service hostname.
+ description: |-
+ Host define the service hostname.
+ Deprecated: Use BackendRefs instead.
type: string
port:
default: 4317
- description: Port defines the port the service is
- exposed on.
+ description: |-
+ Port defines the port the service is exposed on.
+ Deprecated: Use BackendRefs instead.
format: int32
maximum: 65535
minimum: 0
type: integer
- required:
- - host
type: object
+ x-kubernetes-validations:
+ - message: host or backendRefs needs to be set
+ rule: has(self.host) || self.backendRefs.size() >
+ 0
+ - message: BackendRefs must be used, backendRef is not
+ supported.
+ rule: '!has(self.backendRef)'
+ - message: only supports Service kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f,
+ f.kind == ''Service'') : true'
+ - message: BackendRefs only supports Core group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "")) : true'
type:
default: OpenTelemetry
- description: Type defines the metric sink type. EG currently
- only supports OpenTelemetry.
+ description: |-
+ Type defines the metric sink type.
+ EG currently only supports OpenTelemetry.
enum:
- OpenTelemetry
type: string
@@ -6870,19 +13316,21 @@ spec:
field needs to be set.
rule: 'self.type == ''OpenTelemetry'' ? has(self.openTelemetry)
: !has(self.openTelemetry)'
+ maxItems: 16
type: array
type: object
tracing:
- description: Tracing defines tracing configuration for managed
- proxies. If unspecified, will not send tracing data.
+ description: |-
+ Tracing defines tracing configuration for managed proxies.
+ If unspecified, will not send tracing data.
properties:
customTags:
additionalProperties:
properties:
environment:
- description: Environment adds value from environment
- variable to each span. It's required when the type
- is "Environment".
+ description: |-
+ Environment adds value from environment variable to each span.
+ It's required when the type is "Environment".
properties:
defaultValue:
description: DefaultValue defines the default value
@@ -6896,7 +13344,8 @@ spec:
- name
type: object
literal:
- description: Literal adds hard-coded value to each span.
+ description: |-
+ Literal adds hard-coded value to each span.
It's required when the type is "Literal".
properties:
value:
@@ -6907,8 +13356,9 @@ spec:
- value
type: object
requestHeader:
- description: RequestHeader adds value from request header
- to each span. It's required when the type is "RequestHeader".
+ description: |-
+ RequestHeader adds value from request header to each span.
+ It's required when the type is "RequestHeader".
properties:
defaultValue:
description: DefaultValue defines the default value
@@ -6932,41 +13382,934 @@ spec:
required:
- type
type: object
- description: CustomTags defines the custom tags to add to
- each span. If provider is kubernetes, pod name and namespace
- are added by default.
+ description: |-
+ CustomTags defines the custom tags to add to each span.
+ If provider is kubernetes, pod name and namespace are added by default.
type: object
provider:
- description: Provider defines the tracing provider. Only OpenTelemetry
- is supported currently.
+ description: Provider defines the tracing provider.
properties:
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference
+ that is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections
+ that Envoy will establish to the referenced
+ backend defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend connection
+ settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform
+ active health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the
+ number of healthy health checks required
+ before a backend host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines
+ a list of HTTP expected responses to
+ match.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text
+ field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the
+ http status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path
+ that will be requested during health
+ checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text
+ field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request
+ payload.
+ properties:
+ binary:
+ description: Binary payload base64
+ encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain
+ text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type
+ of the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text
+ field needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary,
+ binary field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health
+ checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the
+ number of unhealthy health checks required
+ before a backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http
+ field needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http)
+ : !has(self.http)'
+ - message: If Health Checker type is TCP, tcp
+ field needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp)
+ : !has(self.tcp)'
+ - message: The grpc field can only be set if the
+ Health Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC''
+ : true'
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the
+ base duration for which a host will be ejected
+ on consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the
+ number of consecutive 5xx errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors sets
+ the number of consecutive gateway errors
+ triggering ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can
+ be ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors
+ enables splitting of errors between external
+ and local origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for
+ backend connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie
+ hash policy when the consistent hash type
+ is set to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to
+ set for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header
+ hash policy when the consistent hash type
+ is set to Header.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent
+ hashing, must be prime number limited to
+ 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header,
+ the header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is cookie,
+ the cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash,
+ consistentHash field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for
+ RoundRobin and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries
+ to be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be
+ applied per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base
+ interval between retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry
+ trigger condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the
+ upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
host:
- description: Host define the provider service hostname.
+ description: |-
+ Host define the provider service hostname.
+ Deprecated: Use BackendRefs instead.
type: string
port:
default: 4317
- description: Port defines the port the provider service
- is exposed on.
+ description: |-
+ Port defines the port the provider service is exposed on.
+ Deprecated: Use BackendRefs instead.
format: int32
minimum: 0
type: integer
type:
default: OpenTelemetry
- description: Type defines the tracing provider type. EG
- currently only supports OpenTelemetry.
+ description: Type defines the tracing provider type.
enum:
- OpenTelemetry
+ - Zipkin
+ - Datadog
type: string
+ zipkin:
+ description: Zipkin defines the Zipkin tracing provider
+ configuration
+ properties:
+ disableSharedSpanContext:
+ description: |-
+ DisableSharedSpanContext determines whether the default Envoy behaviour of
+ client and server spans sharing the same span context should be disabled.
+ type: boolean
+ enable128BitTraceId:
+ description: |-
+ Enable128BitTraceID determines whether a 128bit trace id will be used
+ when creating a new trace instance. If set to false, a 64bit trace
+ id will be used.
+ type: boolean
+ type: object
required:
- - host
- type
type: object
+ x-kubernetes-validations:
+ - message: host or backendRefs needs to be set
+ rule: has(self.host) || self.backendRefs.size() > 0
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: only supports Service kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'') : true'
+ - message: BackendRefs only supports Core group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f,
+ f.group == "")) : true'
samplingRate:
default: 100
- description: SamplingRate controls the rate at which traffic
- will be selected for tracing if no prior sampling decision
- has been made. Defaults to 100, valid values [0-100]. 100
- indicates 100% sampling.
+ description: |-
+ SamplingRate controls the rate at which traffic will be
+ selected for tracing if no prior sampling decision has been made.
+ Defaults to 100, valid values [0-100]. 100 indicates 100% sampling.
format: int32
maximum: 100
minimum: 0
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml
new file mode 100644
index 0000000..195bf24
--- /dev/null
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml
@@ -0,0 +1,220 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.16.1
+ name: httproutefilters.gateway.envoyproxy.io
+spec:
+ group: gateway.envoyproxy.io
+ names:
+ categories:
+ - envoy-gateway
+ kind: HTTPRouteFilter
+ listKind: HTTPRouteFilterList
+ plural: httproutefilters
+ shortNames:
+ - hrf
+ singular: httproutefilter
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ HTTPRouteFilter is a custom Envoy Gateway HTTPRouteFilter which provides extended
+ traffic processing options such as path regex rewrite, direct response and more.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec defines the desired state of HTTPRouteFilter.
+ properties:
+ directResponse:
+ description: HTTPDirectResponseFilter defines the configuration to
+ return a fixed response.
+ properties:
+ body:
+ description: Body of the Response
+ properties:
+ inline:
+ description: Inline contains the value as an inline string.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Inline
+ - ValueRef
+ - enum:
+ - Inline
+ - ValueRef
+ default: Inline
+ description: |-
+ Type is the type of method to use to read the body value.
+ Valid values are Inline and ValueRef, default is Inline.
+ type: string
+ valueRef:
+ description: |-
+ ValueRef contains the contents of the body
+ specified as a local object reference.
+ Only a reference to ConfigMap is supported.
+
+ The value of key `response.body` in the ConfigMap will be used as the response body.
+ If the key is not found, the first value in the ConfigMap will be used.
+ properties:
+ group:
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the referent. For example
+ "HTTPRoute" or "Service".
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: inline must be set for type Inline
+ rule: '(!has(self.type) || self.type == ''Inline'')? has(self.inline)
+ : true'
+ - message: valueRef must be set for type ValueRef
+ rule: '(has(self.type) && self.type == ''ValueRef'')? has(self.valueRef)
+ : true'
+ - message: only ConfigMap is supported for ValueRef
+ rule: 'has(self.valueRef) ? self.valueRef.kind == ''ConfigMap''
+ : true'
+ contentType:
+ description: Content Type of the response. This will be set in
+ the Content-Type header.
+ type: string
+ statusCode:
+ description: |-
+ Status Code of the HTTP response
+ If unset, defaults to 200.
+ type: integer
+ type: object
+ urlRewrite:
+ description: HTTPURLRewriteFilter define rewrites of HTTP URL components
+ such as path and host
+ properties:
+ hostname:
+ description: |-
+ Hostname is the value to be used to replace the Host header value during
+ forwarding.
+ properties:
+ header:
+ description: Header is the name of the header whose value
+ would be used to rewrite the Host header
+ type: string
+ type:
+ description: HTTPPathModifierType defines the type of Hostname
+ rewrite.
+ enum:
+ - Header
+ - Backend
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: header must be nil if the type is not Header
+ rule: '!(has(self.header) && self.type != ''Header'')'
+ - message: header must be specified for Header type
+ rule: '!(!has(self.header) && self.type == ''Header'')'
+ path:
+ description: Path defines a path rewrite.
+ properties:
+ replaceRegexMatch:
+ description: |-
+ ReplaceRegexMatch defines a path regex rewrite. The path portions matched by the regex pattern are replaced by the defined substitution.
+ https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-regex-rewrite
+ Some examples:
+ (1) replaceRegexMatch:
+ pattern: ^/service/([^/]+)(/.*)$
+ substitution: \2/instance/\1
+ Would transform /service/foo/v1/api into /v1/api/instance/foo.
+ (2) replaceRegexMatch:
+ pattern: one
+ substitution: two
+ Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/two/zzz.
+ (3) replaceRegexMatch:
+ pattern: ^(.*?)one(.*)$
+ substitution: \1two\2
+ Would transform /xxx/one/yyy/one/zzz into /xxx/two/yyy/one/zzz.
+ (3) replaceRegexMatch:
+ pattern: (?i)/xxx/
+ substitution: /yyy/
+ Would transform path /aaa/XxX/bbb into /aaa/yyy/bbb (case-insensitive).
+ properties:
+ pattern:
+ description: |-
+ Pattern matches a regular expression against the value of the HTTP Path.The regex string must
+ adhere to the syntax documented in https://github.com/google/re2/wiki/Syntax.
+ minLength: 1
+ type: string
+ substitution:
+ description: |-
+ Substitution is an expression that replaces the matched portion.The expression may include numbered
+ capture groups that adhere to syntax documented in https://github.com/google/re2/wiki/Syntax.
+ type: string
+ required:
+ - pattern
+ - substitution
+ type: object
+ type:
+ description: HTTPPathModifierType defines the type of path
+ redirect or rewrite.
+ enum:
+ - ReplaceRegexMatch
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If HTTPPathModifier type is ReplaceRegexMatch, replaceRegexMatch
+ field needs to be set.
+ rule: 'self.type == ''ReplaceRegexMatch'' ? has(self.replaceRegexMatch)
+ : !has(self.replaceRegexMatch)'
+ type: object
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources: {}
diff --git a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 43b6489..b6a040f 100644
--- a/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/helm/envoy-gateway/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.13.0
+ controller-gen.kubebuilder.io/version: v0.16.1
name: securitypolicies.gateway.envoyproxy.io
spec:
group: gateway.envoyproxy.io
@@ -19,53 +19,218 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- - jsonPath: .status.conditions[?(@.type=="Accepted")].reason
- name: Status
- type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
- description: SecurityPolicy allows the user to configure various security
- settings for a Gateway.
+ description: |-
+ SecurityPolicy allows the user to configure various security settings for a
+ Gateway.
properties:
apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec defines the desired state of SecurityPolicy.
properties:
+ authorization:
+ description: Authorization defines the authorization configuration.
+ properties:
+ defaultAction:
+ description: |-
+ DefaultAction defines the default action to be taken if no rules match.
+ If not specified, the default action is Deny.
+ enum:
+ - Allow
+ - Deny
+ type: string
+ rules:
+ description: |-
+ Rules defines a list of authorization rules.
+ These rules are evaluated in order, the first matching rule will be applied,
+ and the rest will be skipped.
+
+ For example, if there are two rules: the first rule allows the request
+ and the second rule denies it, when a request matches both rules, it will be allowed.
+ items:
+ description: AuthorizationRule defines a single authorization
+ rule.
+ properties:
+ action:
+ description: Action defines the action to be taken if the
+ rule matches.
+ enum:
+ - Allow
+ - Deny
+ type: string
+ name:
+ description: |-
+ Name is a user-friendly name for the rule.
+ If not specified, Envoy Gateway will generate a unique name for the rule.
+ maxLength: 253
+ minLength: 1
+ type: string
+ principal:
+ description: |-
+ Principal specifies the client identity of a request.
+ If there are multiple principal types, all principals must match for the rule to match.
+ For example, if there are two principals: one for client IP and one for JWT claim,
+ the rule will match only if both the client IP and the JWT claim match.
+ properties:
+ clientCIDRs:
+ description: |-
+ ClientCIDRs are the IP CIDR ranges of the client.
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+
+ If multiple CIDR ranges are specified, one of the CIDR ranges must match
+ the client IP for the rule to match.
+
+ The client IP is inferred from the X-Forwarded-For header, a custom header,
+ or the proxy protocol.
+ You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
+ the `ClientTrafficPolicy` to configure how the client IP is detected.
+ items:
+ description: |-
+ CIDR defines a CIDR Address range.
+ A CIDR can be an IPv4 address range such as "192.168.1.0/24" or an IPv6 address range such as "2001:0db8:11a3:09d7::/64".
+ pattern: ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]+))|((([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))\/([0-9]+))
+ type: string
+ minItems: 1
+ type: array
+ jwt:
+ description: |-
+ JWT authorize the request based on the JWT claims and scopes.
+ Note: in order to use JWT claims for authorization, you must configure the
+ JWT authentication in the same `SecurityPolicy`.
+ properties:
+ claims:
+ description: |-
+ Claims are the claims in a JWT token.
+
+ If multiple claims are specified, all claims must match for the rule to match.
+ For example, if there are two claims: one for the audience and one for the issuer,
+ the rule will match only if both the audience and the issuer match.
+ items:
+ description: JWTClaim specifies a claim in a JWT
+ token.
+ properties:
+ name:
+ description: |-
+ Name is the name of the claim.
+ If it is a nested claim, use a dot (.) separated string as the name to
+ represent the full path to the claim.
+ For example, if the claim is in the "department" field in the "organization" field,
+ the name should be "organization.department".
+ maxLength: 253
+ minLength: 1
+ type: string
+ valueType:
+ default: String
+ description: |-
+ ValueType is the type of the claim value.
+ Only String and StringArray types are supported for now.
+ enum:
+ - String
+ - StringArray
+ type: string
+ values:
+ description: |-
+ Values are the values that the claim must match.
+ If the claim is a string type, the specified value must match exactly.
+ If the claim is a string array type, the specified value must match one of the values in the array.
+ If multiple values are specified, one of the values must match for the rule to match.
+ items:
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - name
+ - values
+ type: object
+ maxItems: 16
+ minItems: 1
+ type: array
+ provider:
+ description: |-
+ Provider is the name of the JWT provider that used to verify the JWT token.
+ In order to use JWT claims for authorization, you must configure the JWT
+ authentication with the same provider in the same `SecurityPolicy`.
+ maxLength: 253
+ minLength: 1
+ type: string
+ scopes:
+ description: |-
+ Scopes are a special type of claim in a JWT token that represents the permissions of the client.
+
+ The value of the scopes field should be a space delimited string that is expected in the scope parameter,
+ as defined in RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749#page-23.
+
+ If multiple scopes are specified, all scopes must match for the rule to match.
+ items:
+ maxLength: 253
+ minLength: 1
+ type: string
+ maxItems: 16
+ minItems: 1
+ type: array
+ required:
+ - provider
+ type: object
+ x-kubernetes-validations:
+ - message: at least one of claims or scopes must be
+ specified
+ rule: (has(self.claims) || has(self.scopes))
+ type: object
+ x-kubernetes-validations:
+ - message: at least one of clientCIDRs or jwt must be specified
+ rule: (has(self.clientCIDRs) || has(self.jwt))
+ required:
+ - action
+ - principal
+ type: object
+ type: array
+ type: object
basicAuth:
description: BasicAuth defines the configuration for the HTTP Basic
Authentication.
properties:
users:
- description: "The Kubernetes secret which contains the username-password
- pairs in htpasswd format, used to verify user credentials in
- the \"Authorization\" header. \n This is an Opaque secret. The
- username-password pairs should be stored in the key \".htpasswd\".
- As the key name indicates, the value needs to be the htpasswd
- format, for example: \"user1:{SHA}hashed_user1_password\". Right
- now, only SHA hash algorithm is supported. Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
- for more details. \n Note: The secret must be in the same namespace
- as the SecurityPolicy."
+ description: |-
+ The Kubernetes secret which contains the username-password pairs in
+ htpasswd format, used to verify user credentials in the "Authorization"
+ header.
+
+ This is an Opaque secret. The username-password pairs should be stored in
+ the key ".htpasswd". As the key name indicates, the value needs to be the
+ htpasswd format, for example: "user1:{SHA}hashed_user1_password".
+ Right now, only SHA hash algorithm is supported.
+ Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
+ for more details.
+
+ Note: The secret must be in the same namespace as the SecurityPolicy.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty string,
- core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -82,13 +247,16 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the local namespace
- is specified, a ReferenceGrant object is required in the
- referent namespace to allow that namespace's owner to accept
- the reference. See the ReferenceGrant documentation for
- details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -104,88 +272,117 @@ spec:
Sharing (CORS).
properties:
allowCredentials:
- description: AllowCredentials indicates whether a request can
- include user credentials like cookies, authentication headers,
- or TLS client certificates.
+ description: |-
+ AllowCredentials indicates whether a request can include user credentials
+ like cookies, authentication headers, or TLS client certificates.
+ It specifies the value in the Access-Control-Allow-Credentials CORS response header.
type: boolean
allowHeaders:
- description: AllowHeaders defines the headers that are allowed
- to be sent with requests.
+ description: |-
+ AllowHeaders defines the headers that are allowed to be sent with requests.
+ It specifies the allowed headers in the Access-Control-Allow-Headers CORS response header..
+ The value "*" allows any header to be sent.
items:
type: string
type: array
allowMethods:
- description: AllowMethods defines the methods that are allowed
- to make requests.
+ description: |-
+ AllowMethods defines the methods that are allowed to make requests.
+ It specifies the allowed methods in the Access-Control-Allow-Methods CORS response header..
+ The value "*" allows any method to be used.
items:
type: string
- minItems: 1
type: array
allowOrigins:
- description: AllowOrigins defines the origins that are allowed
- to make requests.
+ description: |-
+ AllowOrigins defines the origins that are allowed to make requests.
+ It specifies the allowed origins in the Access-Control-Allow-Origin CORS response header.
+ The value "*" allows any origin to make requests.
items:
- description: "Origin is defined by the scheme (protocol), hostname
- (domain), and port of the URL used to access it. The hostname
- can be \"precise\" which is just the domain name or \"wildcard\"
- which is a domain name prefixed with a single wildcard label
- such as \"*.example.com\". In addition to that a single wildcard
- (with or without scheme) can be configured to match any origin.
- \n For example, the following are valid origins: - https://foo.example.com
- - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080
- - https://*"
+ description: |-
+ Origin is defined by the scheme (protocol), hostname (domain), and port of
+ the URL used to access it. The hostname can be "precise" which is just the
+ domain name or "wildcard" which is a domain name prefixed with a single
+ wildcard label such as "*.example.com".
+ In addition to that a single wildcard (with or without scheme) can be
+ configured to match any origin.
+
+ For example, the following are valid origins:
+ - https://foo.example.com
+ - https://*.example.com
+ - http://foo.example.com:8080
+ - http://*.example.com:8080
+ - https://*
maxLength: 253
minLength: 1
pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$
type: string
- minItems: 1
type: array
exposeHeaders:
- description: ExposeHeaders defines the headers that can be exposed
- in the responses.
+ description: |-
+ ExposeHeaders defines which response headers should be made accessible to
+ scripts running in the browser.
+ It specifies the headers in the Access-Control-Expose-Headers CORS response header..
+ The value "*" allows any header to be exposed.
items:
type: string
type: array
maxAge:
- description: MaxAge defines how long the results of a preflight
- request can be cached.
+ description: |-
+ MaxAge defines how long the results of a preflight request can be cached.
+ It specifies the value in the Access-Control-Max-Age CORS response header..
type: string
type: object
extAuth:
description: ExtAuth defines the configuration for External Authorization.
properties:
+ failOpen:
+ default: false
+ description: |-
+ FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
+ If FailOpen is set to true, the system allows the traffic to pass through.
+ Otherwise, if it is set to false or not set (defaulting to false),
+ the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
+ This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
+ type: boolean
grpc:
- description: GRPC defines the gRPC External Authorization service.
- Either GRPCService or HTTPService must be specified, and only
- one of them can be provided.
+ description: |-
+ GRPC defines the gRPC External Authorization service.
+ Either GRPCService or HTTPService must be specified,
+ and only one of them can be provided.
properties:
backendRef:
- description: BackendRef references a Kubernetes object that
- represents the backend server to which the authorization
- request will be sent. Only service Kind is supported for
- now.
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -196,24 +393,27 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -225,57 +425,847 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
- required:
- - backendRef
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a
+ backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) :
+ !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' :
+ true'
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base
+ duration for which a host will be ejected on
+ consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors sets the
+ number of consecutive gateway errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be
+ ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash
+ policy when the consistent hash type is set
+ to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set
+ for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header hash
+ policy when the consistent hash type is set
+ to Header.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the
+ header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is cookie, the
+ cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
type: object
+ x-kubernetes-validations:
+ - message: backendRef or backendRefs needs to be set
+ rule: has(self.backendRef) || self.backendRefs.size() > 0
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only supports Service and Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''Backend'') : true'
+ - message: BackendRefs only supports Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
+ == "" || f.group == ''gateway.envoyproxy.io'')) : true'
headersToExtAuth:
- description: 'HeadersToExtAuth defines the client request headers
- that will be included in the request to the external authorization
- service. Note: If not specified, the default behavior for gRPC
- and HTTP external authorization services is different due to
- backward compatibility reasons. All headers will be included
- in the check request to a gRPC authorization server. Only the
- following headers will be included in the check request to an
- HTTP authorization server: Host, Method, Path, Content-Length,
- and Authorization. And these headers will always be included
- to the check request to an HTTP authorization server by default,
- no matter whether they are specified in HeadersToExtAuth or
- not.'
+ description: |-
+ HeadersToExtAuth defines the client request headers that will be included
+ in the request to the external authorization service.
+ Note: If not specified, the default behavior for gRPC and HTTP external
+ authorization services is different due to backward compatibility reasons.
+ All headers will be included in the check request to a gRPC authorization server.
+ Only the following headers will be included in the check request to an HTTP
+ authorization server: Host, Method, Path, Content-Length, and Authorization.
+ And these headers will always be included to the check request to an HTTP
+ authorization server by default, no matter whether they are specified
+ in HeadersToExtAuth or not.
items:
type: string
type: array
http:
- description: HTTP defines the HTTP External Authorization service.
- Either GRPCService or HTTPService must be specified, and only
- one of them can be provided.
+ description: |-
+ HTTP defines the HTTP External Authorization service.
+ Either GRPCService or HTTPService must be specified,
+ and only one of them can be provided.
properties:
backendRef:
- description: BackendRef references a Kubernetes object that
- represents the backend server to which the authorization
- request will be sent. Only service Kind is supported for
- now.
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty
- string, core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
- description: "Kind is the Kubernetes resource kind of
- the referent. For example \"Service\". \n Defaults to
- \"Service\" when not specified. \n ExternalName services
- can refer to CNAME DNS records that may live outside
- of the cluster and as such are difficult to reason about
- in terms of conformance. They also may not be safe to
- forward to (see CVE-2021-25740 for more information).
- Implementations SHOULD NOT support ExternalName Services.
- \n Support: Core (Services with a type other than ExternalName)
- \n Support: Implementation-specific (Services with type
- ExternalName)"
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
@@ -286,24 +1276,27 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the backend.
- When unspecified, the local namespace is inferred. \n
- Note that when a namespace different than the local
- namespace is specified, a ReferenceGrant object is required
- in the referent namespace to allow that namespace's
- owner to accept the reference. See the ReferenceGrant
- documentation for details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: Port specifies the destination port number
- to use for this resource. Port is required when the
- referent is a Kubernetes Service. In this case, the
- port number is the service port number, not the target
- port. For other resources, destination port might be
- derived from the referent resource or this field.
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
format: int32
maximum: 65535
minimum: 1
@@ -315,24 +1308,817 @@ spec:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'')
? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a
+ backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) :
+ !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' :
+ true'
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base
+ duration for which a host will be ejected on
+ consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors sets the
+ number of consecutive gateway errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be
+ ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash
+ policy when the consistent hash type is set
+ to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set
+ for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header hash
+ policy when the consistent hash type is set
+ to Header.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the
+ header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is cookie, the
+ cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
headersToBackend:
- description: HeadersToBackend are the authorization response
- headers that will be added to the original client request
- before sending it to the backend server. Note that coexisting
- headers will be overridden. If not specified, no authorization
- response headers will be added to the original client request.
+ description: |-
+ HeadersToBackend are the authorization response headers that will be added
+ to the original client request before sending it to the backend server.
+ Note that coexisting headers will be overridden.
+ If not specified, no authorization response headers will be added to the
+ original client request.
items:
type: string
type: array
path:
- description: Path is the path of the HTTP External Authorization
- service. If path is specified, the authorization request
- will be sent to that path, or else the authorization request
- will be sent to the root path.
+ description: |-
+ Path is the path of the HTTP External Authorization service.
+ If path is specified, the authorization request will be sent to that path,
+ or else the authorization request will be sent to the root path.
type: string
- required:
- - backendRef
type: object
+ x-kubernetes-validations:
+ - message: backendRef or backendRefs needs to be set
+ rule: has(self.backendRef) || self.backendRefs.size() > 0
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: BackendRefs only supports Service and Backend kind.
+ rule: 'has(self.backendRefs) ? self.backendRefs.all(f, f.kind
+ == ''Service'' || f.kind == ''Backend'') : true'
+ - message: BackendRefs only supports Core and gateway.envoyproxy.io
+ group.
+ rule: 'has(self.backendRefs) ? (self.backendRefs.all(f, f.group
+ == "" || f.group == ''gateway.envoyproxy.io'')) : true'
+ recomputeRoute:
+ description: |-
+ RecomputeRoute clears the route cache and recalculates the routing decision.
+ This field must be enabled if the headers added or modified by the ExtAuth are used for
+ route matching decisions. If the recomputation selects a new route, features targeting
+ the new matched route will be applied.
+ type: boolean
type: object
x-kubernetes-validations:
- message: one of grpc or http must be specified
@@ -340,60 +2126,48 @@ spec:
- message: only one of grpc or http can be specified
rule: (has(self.grpc) && !has(self.http)) || (!has(self.grpc) &&
has(self.http))
- - message: group is invalid, only the core API group (specified by
- omitting the group field or setting it to an empty string) is
- supported
- rule: 'has(self.grpc) ? (!has(self.grpc.backendRef.group) || self.grpc.backendRef.group
- == "") : true'
- - message: kind is invalid, only Service (specified by omitting the
- kind field or setting it to 'Service') is supported
- rule: 'has(self.grpc) ? (!has(self.grpc.backendRef.kind) || self.grpc.backendRef.kind
- == ''Service'') : true'
- - message: group is invalid, only the core API group (specified by
- omitting the group field or setting it to an empty string) is
- supported
- rule: 'has(self.http) ? (!has(self.http.backendRef.group) || self.http.backendRef.group
- == "") : true'
- - message: kind is invalid, only Service (specified by omitting the
- kind field or setting it to 'Service') is supported
- rule: 'has(self.http) ? (!has(self.http.backendRef.kind) || self.http.backendRef.kind
- == ''Service'') : true'
jwt:
description: JWT defines the configuration for JSON Web Token (JWT)
authentication.
properties:
+ optional:
+ description: |-
+ Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
+ Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
+ type: boolean
providers:
- description: Providers defines the JSON Web Token (JWT) authentication
- provider type. When multiple JWT providers are specified, the
- JWT is considered valid if any of the providers successfully
- validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
+ description: |-
+ Providers defines the JSON Web Token (JWT) authentication provider type.
+ When multiple JWT providers are specified, the JWT is considered valid if
+ any of the providers successfully validate the JWT. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html.
items:
description: JWTProvider defines how a JSON Web Token (JWT)
can be verified.
properties:
audiences:
- description: Audiences is a list of JWT audiences allowed
- access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3.
- If not provided, JWT audiences are not checked.
+ description: |-
+ Audiences is a list of JWT audiences allowed access. For additional details, see
+ https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences
+ are not checked.
items:
type: string
maxItems: 8
type: array
claimToHeaders:
- description: 'ClaimToHeaders is a list of JWT claims that
- must be extracted into HTTP request headers For examples,
- following config: The claim must be of type; string, int,
- double, bool. Array type claims are not supported'
+ description: |-
+ ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers
+ For examples, following config:
+ The claim must be of type; string, int, double, bool. Array type claims are not supported
items:
description: ClaimToHeader defines a configuration to
convert JWT claims into HTTP headers
properties:
claim:
- description: 'Claim is the JWT Claim that should be
- saved into the header : it can be a nested claim
- of type (eg. "claim.nested.key", "sub"). The nested
- claim name must use dot "." to separate the JSON
- name path.'
+ description: |-
+ Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type
+ (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
+ to separate the JSON name path.
type: string
header:
description: Header defines the name of the HTTP request
@@ -405,11 +2179,10 @@ spec:
type: object
type: array
extractFrom:
- description: ExtractFrom defines different ways to extract
- the JWT token from HTTP request. If empty, it defaults
- to extract JWT token from the Authorization HTTP request
- header using Bearer schema or access_token from query
- parameters.
+ description: |-
+ ExtractFrom defines different ways to extract the JWT token from HTTP request.
+ If empty, it defaults to extract JWT token from the Authorization HTTP request header using Bearer schema
+ or access_token from query parameters.
properties:
cookies:
description: Cookies represents a list of cookie names
@@ -429,12 +2202,10 @@ spec:
the token
type: string
valuePrefix:
- description: 'ValuePrefix is the prefix that should
- be stripped before extracting the token. The
- format would be used by Envoy like "{ValuePrefix}".
- For example, "Authorization: Bearer ",
- then the ValuePrefix="Bearer " with a space
- at the end.'
+ description: |-
+ ValuePrefix is the prefix that should be stripped before extracting the token.
+ The format would be used by Envoy like "{ValuePrefix}".
+ For example, "Authorization: Bearer ", then the ValuePrefix="Bearer " with a space at the end.
type: string
required:
- name
@@ -448,36 +2219,36 @@ spec:
type: array
type: object
issuer:
- description: Issuer is the principal that issued the JWT
- and takes the form of a URL or email address. For additional
- details, see https://tools.ietf.org/html/rfc7519#section-4.1.1
- for URL format and https://rfc-editor.org/rfc/rfc5322.html
- for email format. If not provided, the JWT issuer is not
- checked.
+ description: |-
+ Issuer is the principal that issued the JWT and takes the form of a URL or email address.
+ For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for
+ URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided,
+ the JWT issuer is not checked.
maxLength: 253
type: string
name:
- description: Name defines a unique name for the JWT provider.
- A name can have a variety of forms, including RFC1123
- subdomains, RFC 1123 labels, or RFC 1035 labels.
+ description: |-
+ Name defines a unique name for the JWT provider. A name can have a variety of forms,
+ including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
maxLength: 253
minLength: 1
type: string
recomputeRoute:
- description: RecomputeRoute clears the route cache and recalculates
- the routing decision. This field must be enabled if the
- headers generated from the claim are used for route matching
- decisions. If the recomputation selects a new route, features
- targeting the new matched route will be applied.
+ description: |-
+ RecomputeRoute clears the route cache and recalculates the routing decision.
+ This field must be enabled if the headers generated from the claim are used for
+ route matching decisions. If the recomputation selects a new route, features targeting
+ the new matched route will be applied.
type: boolean
remoteJWKS:
- description: RemoteJWKS defines how to fetch and cache JSON
- Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
+ description: |-
+ RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
+ HTTP/HTTPS endpoint.
properties:
uri:
- description: URI is the HTTPS URI to fetch the JWKS.
- Envoy's system trust bundle is used to validate the
- server certificate.
+ description: |-
+ URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
+ validate the server certificate.
maxLength: 253
minLength: 1
type: string
@@ -504,21 +2275,24 @@ spec:
(OIDC) authentication.
properties:
clientID:
- description: The client ID to be used in the OIDC [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ description: |-
+ The client ID to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
minLength: 1
type: string
clientSecret:
- description: "The Kubernetes secret which contains the OIDC client
- secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
- \n This is an Opaque secret. The client secret should be stored
- in the key \"client-secret\"."
+ description: |-
+ The Kubernetes secret which contains the OIDC client secret to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+ This is an Opaque secret. The client secret should be stored in the key
+ "client-secret".
properties:
group:
default: ""
- description: Group is the group of the referent. For example,
- "gateway.networking.k8s.io". When unspecified or empty string,
- core API group is inferred.
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
@@ -535,13 +2309,16 @@ spec:
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referenced
- object. When unspecified, the local namespace is inferred.
- \n Note that when a namespace different than the local namespace
- is specified, a ReferenceGrant object is required in the
- referent namespace to allow that namespace's owner to accept
- the reference. See the ReferenceGrant documentation for
- details. \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referenced object. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
@@ -549,43 +2326,975 @@ spec:
required:
- name
type: object
+ cookieDomain:
+ description: |-
+ The optional domain to set the access and ID token cookies on.
+ If not set, the cookies will default to the host of the request, not including the subdomains.
+ If set, the cookies will be set on the specified domain and all subdomains.
+ This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+ type: string
+ cookieNames:
+ description: |-
+ The optional cookie name overrides to be used for Bearer and IdToken cookies in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, uses a randomly generated suffix
+ properties:
+ accessToken:
+ description: |-
+ The name of the cookie used to store the AccessToken in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, defaults to "AccessToken-(randomly generated uid)"
+ type: string
+ idToken:
+ description: |-
+ The name of the cookie used to store the IdToken in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ If not specified, defaults to "IdToken-(randomly generated uid)"
+ type: string
+ type: object
+ defaultRefreshTokenTTL:
+ description: |-
+ DefaultRefreshTokenTTL is the default lifetime of the refresh token.
+ This field is only used when the exp (expiration time) claim is omitted in
+ the refresh token or the refresh token is not JWT.
+
+ If not specified, defaults to 604800s (one week).
+ Note: this field is only applicable when the "refreshToken" field is set to true.
+ type: string
+ defaultTokenTTL:
+ description: |-
+ DefaultTokenTTL is the default lifetime of the id token and access token.
+ Please note that Envoy will always use the expiry time from the response
+ of the authorization server if it is provided. This field is only used when
+ the expiry time is not provided by the authorization.
+
+ If not specified, defaults to 0. In this case, the "expires_in" field in
+ the authorization response must be set by the authorization server, or the
+ OAuth flow will fail.
+ type: string
+ forwardAccessToken:
+ description: |-
+ ForwardAccessToken indicates whether the Envoy should forward the access token
+ via the Authorization header Bearer scheme to the upstream.
+ If not specified, defaults to false.
+ type: boolean
logoutPath:
- description: The path to log a user out, clearing their credential
- cookies. If not specified, uses a default logout path "/logout"
+ description: |-
+ The path to log a user out, clearing their credential cookies.
+
+ If not specified, uses a default logout path "/logout"
type: string
provider:
description: The OIDC Provider configuration.
properties:
authorizationEndpoint:
- description: The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
- If not provided, EG will try to discover it from the provider's
- [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ description: |-
+ The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
type: string
+ backendRef:
+ description: |-
+ BackendRef references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+
+ Deprecated: Use BackendRefs instead.
+ properties:
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ backendRefs:
+ description: |-
+ BackendRefs references a Kubernetes object that represents the
+ backend server to which the authorization request will be sent.
+ items:
+ description: BackendRef defines how an ObjectReference that
+ is specific to BackendRef.
+ properties:
+ fallback:
+ description: |-
+ Fallback indicates whether the backend is designated as a fallback.
+ Multiple fallback backends can be configured.
+ It is highly recommended to configure active or passive health checks to ensure that failover can be detected
+ when the active backends become unhealthy and to automatically readjust once the primary backends are healthy again.
+ The overprovisioning factor is set to 1.4, meaning the fallback backends will only start receiving traffic when
+ the health of the active backends falls below 72%.
+ type: boolean
+ group:
+ default: ""
+ description: |-
+ Group is the group of the referent. For example, "gateway.networking.k8s.io".
+ When unspecified or empty string, core API group is inferred.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ default: Service
+ description: |-
+ Kind is the Kubernetes resource kind of the referent. For example
+ "Service".
+
+ Defaults to "Service" when not specified.
+
+ ExternalName services can refer to CNAME DNS records that may live
+ outside of the cluster and as such are difficult to reason about in
+ terms of conformance. They also may not be safe to forward to (see
+ CVE-2021-25740 for more information). Implementations SHOULD NOT
+ support ExternalName Services.
+
+ Support: Core (Services with a type other than ExternalName)
+
+ Support: Implementation-specific (Services with type ExternalName)
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the referent.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: |-
+ Namespace is the namespace of the backend. When unspecified, the local
+ namespace is inferred.
+
+ Note that when a namespace different than the local namespace is specified,
+ a ReferenceGrant object is required in the referent namespace to allow that
+ namespace's owner to accept the reference. See the ReferenceGrant
+ documentation for details.
+
+ Support: Core
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ port:
+ description: |-
+ Port specifies the destination port number to use for this resource.
+ Port is required when the referent is a Kubernetes Service. In this
+ case, the port number is the service port number, not the target port.
+ For other resources, destination port might be derived from the referent
+ resource or this field.
+ format: int32
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: Must have port for Service reference
+ rule: '(size(self.group) == 0 && self.kind == ''Service'')
+ ? has(self.port) : true'
+ maxItems: 16
+ type: array
+ backendSettings:
+ description: |-
+ BackendSettings holds configuration for managing the connection
+ to the backend.
+ properties:
+ circuitBreaker:
+ description: |-
+ Circuit Breaker settings for the upstream connections and requests.
+ If not set, circuit breakers will be enabled with the default thresholds
+ properties:
+ maxConnections:
+ default: 1024
+ description: The maximum number of connections that
+ Envoy will establish to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRequests:
+ default: 1024
+ description: The maximum number of parallel requests
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxParallelRetries:
+ default: 1024
+ description: The maximum number of parallel retries
+ that Envoy will make to the referenced backend defined
+ within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxPendingRequests:
+ default: 1024
+ description: The maximum number of pending requests
+ that Envoy will queue to the referenced backend
+ defined within a xRoute rule.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ maxRequestsPerConnection:
+ description: |-
+ The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule.
+ Default: unlimited.
+ format: int64
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ connection:
+ description: Connection includes backend connection settings.
+ properties:
+ bufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ BufferLimit Soft limit on size of the cluster’s connections read and write buffers.
+ BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space.
+ If unspecified, an implementation defined default is applied (32768 bytes).
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note: that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ socketBufferLimit:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket
+ to backend.
+ SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space.
+ For example, 20Mi, 1Gi, 256Ki etc.
+ Note that when the suffix is not provided, the value is interpreted as bytes.
+ x-kubernetes-int-or-string: true
+ type: object
+ dns:
+ description: DNS includes dns resolution settings.
+ properties:
+ dnsRefreshRate:
+ description: |-
+ DNSRefreshRate specifies the rate at which DNS records should be refreshed.
+ Defaults to 30 seconds.
+ type: string
+ respectDnsTtl:
+ description: |-
+ RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected.
+ If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL.
+ Defaults to true.
+ type: boolean
+ type: object
+ healthCheck:
+ description: HealthCheck allows gateway to perform active
+ health checking on backends.
+ properties:
+ active:
+ description: Active health check configuration
+ properties:
+ grpc:
+ description: |-
+ GRPC defines the configuration of the GRPC health checker.
+ It's optional, and can only be used if the specified type is GRPC.
+ properties:
+ service:
+ description: |-
+ Service to send in the health check request.
+ If this is not specified, then the health check request applies to the entire
+ server and not to a specific service.
+ type: string
+ type: object
+ healthyThreshold:
+ default: 1
+ description: HealthyThreshold defines the number
+ of healthy health checks required before a backend
+ host is marked healthy.
+ format: int32
+ minimum: 1
+ type: integer
+ http:
+ description: |-
+ HTTP defines the configuration of http health checker.
+ It's required while the health checker type is HTTP.
+ properties:
+ expectedResponse:
+ description: ExpectedResponse defines a list
+ of HTTP expected responses to match.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ expectedStatuses:
+ description: |-
+ ExpectedStatuses defines a list of HTTP response statuses considered healthy.
+ Defaults to 200 only
+ items:
+ description: HTTPStatus defines the http
+ status code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ method:
+ description: |-
+ Method defines the HTTP method used for health checking.
+ Defaults to GET
+ type: string
+ path:
+ description: Path defines the HTTP path that
+ will be requested during health checking.
+ maxLength: 1024
+ minLength: 1
+ type: string
+ required:
+ - path
+ type: object
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ active health checks.
+ format: duration
+ type: string
+ tcp:
+ description: |-
+ TCP defines the configuration of tcp health checker.
+ It's required while the health checker type is TCP.
+ properties:
+ receive:
+ description: Receive defines the expected
+ response payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ send:
+ description: Send defines the request payload.
+ properties:
+ binary:
+ description: Binary payload base64 encoded.
+ format: byte
+ type: string
+ text:
+ description: Text payload in plain text.
+ type: string
+ type:
+ allOf:
+ - enum:
+ - Text
+ - Binary
+ - enum:
+ - Text
+ - Binary
+ description: Type defines the type of
+ the payload.
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If payload type is Text, text field
+ needs to be set.
+ rule: 'self.type == ''Text'' ? has(self.text)
+ : !has(self.text)'
+ - message: If payload type is Binary, binary
+ field needs to be set.
+ rule: 'self.type == ''Binary'' ? has(self.binary)
+ : !has(self.binary)'
+ type: object
+ timeout:
+ default: 1s
+ description: Timeout defines the time to wait
+ for a health check response.
+ format: duration
+ type: string
+ type:
+ allOf:
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ - enum:
+ - HTTP
+ - TCP
+ - GRPC
+ description: Type defines the type of health checker.
+ type: string
+ unhealthyThreshold:
+ default: 3
+ description: UnhealthyThreshold defines the number
+ of unhealthy health checks required before a
+ backend host is marked unhealthy.
+ format: int32
+ minimum: 1
+ type: integer
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If Health Checker type is HTTP, http field
+ needs to be set.
+ rule: 'self.type == ''HTTP'' ? has(self.http) :
+ !has(self.http)'
+ - message: If Health Checker type is TCP, tcp field
+ needs to be set.
+ rule: 'self.type == ''TCP'' ? has(self.tcp) : !has(self.tcp)'
+ - message: The grpc field can only be set if the Health
+ Checker type is GRPC.
+ rule: 'has(self.grpc) ? self.type == ''GRPC'' :
+ true'
+ passive:
+ description: Passive passive check configuration
+ properties:
+ baseEjectionTime:
+ default: 30s
+ description: BaseEjectionTime defines the base
+ duration for which a host will be ejected on
+ consecutive failures.
+ format: duration
+ type: string
+ consecutive5XxErrors:
+ default: 5
+ description: Consecutive5xxErrors sets the number
+ of consecutive 5xx errors triggering ejection.
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ default: 0
+ description: ConsecutiveGatewayErrors sets the
+ number of consecutive gateway errors triggering
+ ejection.
+ format: int32
+ type: integer
+ consecutiveLocalOriginFailures:
+ default: 5
+ description: |-
+ ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection.
+ Parameter takes effect only when split_external_local_origin_errors is set to true.
+ format: int32
+ type: integer
+ interval:
+ default: 3s
+ description: Interval defines the time between
+ passive health checks.
+ format: duration
+ type: string
+ maxEjectionPercent:
+ default: 10
+ description: MaxEjectionPercent sets the maximum
+ percentage of hosts in a cluster that can be
+ ejected.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ default: false
+ description: SplitExternalLocalOriginErrors enables
+ splitting of errors between external and local
+ origin.
+ type: boolean
+ type: object
+ type: object
+ http2:
+ description: HTTP2 provides HTTP/2 configuration for backend
+ connections.
+ properties:
+ initialConnectionWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialConnectionWindowSize sets the initial window size for HTTP/2 connections.
+ If not set, the default value is 1 MiB.
+ x-kubernetes-int-or-string: true
+ initialStreamWindowSize:
+ allOf:
+ - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ - pattern: ^[1-9]+[0-9]*([EPTGMK]i|[EPTGMk])?$
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ InitialStreamWindowSize sets the initial window size for HTTP/2 streams.
+ If not set, the default value is 64 KiB(64*1024).
+ x-kubernetes-int-or-string: true
+ maxConcurrentStreams:
+ description: |-
+ MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection.
+ If not set, the default value is 100.
+ format: int32
+ maximum: 2147483647
+ minimum: 1
+ type: integer
+ onInvalidMessage:
+ description: |-
+ OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error
+ It's recommended for L2 Envoy deployments to set this value to TerminateStream.
+ https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two
+ Default: TerminateConnection
+ type: string
+ type: object
+ loadBalancer:
+ description: |-
+ LoadBalancer policy to apply when routing traffic from the gateway to
+ the backend endpoints. Defaults to `LeastRequest`.
+ properties:
+ consistentHash:
+ description: |-
+ ConsistentHash defines the configuration when the load balancer type is
+ set to ConsistentHash
+ properties:
+ cookie:
+ description: Cookie configures the cookie hash
+ policy when the consistent hash type is set
+ to Cookie.
+ properties:
+ attributes:
+ additionalProperties:
+ type: string
+ description: Additional Attributes to set
+ for the generated cookie.
+ type: object
+ name:
+ description: |-
+ Name of the cookie to hash.
+ If this cookie does not exist in the request, Envoy will generate a cookie and set
+ the TTL on the response back to the client based on Layer 4
+ attributes of the backend endpoint, to ensure that these future requests
+ go to the same backend endpoint. Make sure to set the TTL field for this case.
+ type: string
+ ttl:
+ description: |-
+ TTL of the generated cookie if the cookie is not present. This value sets the
+ Max-Age attribute value.
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: Header configures the header hash
+ policy when the consistent hash type is set
+ to Header.
+ properties:
+ name:
+ description: Name of the header to hash.
+ type: string
+ required:
+ - name
+ type: object
+ tableSize:
+ default: 65537
+ description: The table size for consistent hashing,
+ must be prime number limited to 5000011.
+ format: int64
+ maximum: 5000011
+ minimum: 2
+ type: integer
+ type:
+ description: |-
+ ConsistentHashType defines the type of input to hash on. Valid Type values are
+ "SourceIP",
+ "Header",
+ "Cookie".
+ enum:
+ - SourceIP
+ - Header
+ - Cookie
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If consistent hash type is header, the
+ header field must be set.
+ rule: 'self.type == ''Header'' ? has(self.header)
+ : !has(self.header)'
+ - message: If consistent hash type is cookie, the
+ cookie field must be set.
+ rule: 'self.type == ''Cookie'' ? has(self.cookie)
+ : !has(self.cookie)'
+ slowStart:
+ description: |-
+ SlowStart defines the configuration related to the slow start load balancer policy.
+ If set, during slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently this is only supported for RoundRobin and LeastRequest load balancers
+ properties:
+ window:
+ description: |-
+ Window defines the duration of the warm up period for newly added host.
+ During slow start window, traffic sent to the newly added hosts will gradually increase.
+ Currently only supports linear growth of traffic. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig
+ type: string
+ required:
+ - window
+ type: object
+ type:
+ description: |-
+ Type decides the type of Load Balancer policy.
+ Valid LoadBalancerType values are
+ "ConsistentHash",
+ "LeastRequest",
+ "Random",
+ "RoundRobin".
+ enum:
+ - ConsistentHash
+ - LeastRequest
+ - Random
+ - RoundRobin
+ type: string
+ required:
+ - type
+ type: object
+ x-kubernetes-validations:
+ - message: If LoadBalancer type is consistentHash, consistentHash
+ field needs to be set.
+ rule: 'self.type == ''ConsistentHash'' ? has(self.consistentHash)
+ : !has(self.consistentHash)'
+ - message: Currently SlowStart is only supported for RoundRobin
+ and LeastRequest load balancers.
+ rule: 'self.type in [''Random'', ''ConsistentHash'']
+ ? !has(self.slowStart) : true '
+ proxyProtocol:
+ description: ProxyProtocol enables the Proxy Protocol
+ when communicating with the backend.
+ properties:
+ version:
+ description: |-
+ Version of ProxyProtol
+ Valid ProxyProtocolVersion values are
+ "V1"
+ "V2"
+ enum:
+ - V1
+ - V2
+ type: string
+ required:
+ - version
+ type: object
+ retry:
+ description: |-
+ Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions.
+ If not set, retry will be disabled.
+ properties:
+ numRetries:
+ default: 2
+ description: NumRetries is the number of retries to
+ be attempted. Defaults to 2.
+ format: int32
+ minimum: 0
+ type: integer
+ perRetry:
+ description: PerRetry is the retry policy to be applied
+ per retry attempt.
+ properties:
+ backOff:
+ description: |-
+ Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
+ back-off algorithm for retries. For additional details,
+ see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries
+ properties:
+ baseInterval:
+ description: BaseInterval is the base interval
+ between retries.
+ format: duration
+ type: string
+ maxInterval:
+ description: |-
+ MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set.
+ The default is 10 times the base_interval
+ format: duration
+ type: string
+ type: object
+ timeout:
+ description: Timeout is the timeout per retry
+ attempt.
+ format: duration
+ type: string
+ type: object
+ retryOn:
+ description: |-
+ RetryOn specifies the retry trigger condition.
+
+ If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).
+ properties:
+ httpStatusCodes:
+ description: |-
+ HttpStatusCodes specifies the http status codes to be retried.
+ The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.
+ items:
+ description: HTTPStatus defines the http status
+ code.
+ exclusiveMaximum: true
+ maximum: 600
+ minimum: 100
+ type: integer
+ type: array
+ triggers:
+ description: Triggers specifies the retry trigger
+ condition(Http/Grpc).
+ items:
+ description: TriggerEnum specifies the conditions
+ that trigger retries.
+ enum:
+ - 5xx
+ - gateway-error
+ - reset
+ - connect-failure
+ - retriable-4xx
+ - refused-stream
+ - retriable-status-codes
+ - cancelled
+ - deadline-exceeded
+ - internal
+ - resource-exhausted
+ - unavailable
+ type: string
+ type: array
+ type: object
+ type: object
+ tcpKeepalive:
+ description: |-
+ TcpKeepalive settings associated with the upstream client connection.
+ Disabled by default.
+ properties:
+ idleTime:
+ description: |-
+ The duration a connection needs to be idle before keep-alive
+ probes start being sent.
+ The duration format is
+ Defaults to `7200s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ interval:
+ description: |-
+ The duration between keep-alive probes.
+ Defaults to `75s`.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ probes:
+ description: |-
+ The total number of unacknowledged probes to send before deciding
+ the connection is dead.
+ Defaults to 9.
+ format: int32
+ type: integer
+ type: object
+ timeout:
+ description: Timeout settings for the backend connections.
+ properties:
+ http:
+ description: Timeout settings for HTTP.
+ properties:
+ connectionIdleTimeout:
+ description: |-
+ The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection.
+ Default: 1 hour.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ maxConnectionDuration:
+ description: |-
+ The maximum duration of an HTTP connection.
+ Default: unlimited.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ requestTimeout:
+ description: RequestTimeout is the time until
+ which entire response is received from the upstream.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ tcp:
+ description: Timeout settings for TCP.
+ properties:
+ connectTimeout:
+ description: |-
+ The timeout for network connection establishment, including TCP and TLS handshakes.
+ Default: 10 seconds.
+ pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
+ type: string
+ type: object
+ type: object
+ type: object
issuer:
- description: The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
- Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component
- that MUST be https, a host component, and optionally, port
- and path components and no query or fragment components.
+ description: |-
+ The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+ Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
+ be https, a host component, and optionally, port and path components and
+ no query or fragment components.
minLength: 1
type: string
tokenEndpoint:
- description: The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
- If not provided, EG will try to discover it from the provider's
- [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+ description: |-
+ The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+ If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
type: string
required:
- issuer
type: object
+ x-kubernetes-validations:
+ - message: BackendRefs must be used, backendRef is not supported.
+ rule: '!has(self.backendRef)'
+ - message: Retry timeout is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)?
+ !has(self.backendSettings.retry.perRetry.timeout):true):true):true
+ - message: HTTPStatusCodes is not supported.
+ rule: has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)?
+ !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true
redirectURL:
- description: The redirect URL to be used in the OIDC [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ description: |-
+ The redirect URL to be used in the OIDC
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
type: string
+ refreshToken:
+ description: |-
+ RefreshToken indicates whether the Envoy should automatically refresh the
+ id token and access token when they expire.
+ When set to true, the Envoy will use the refresh token to get a new id token
+ and access token when they expire.
+
+ If not specified, defaults to false.
+ type: boolean
+ resources:
+ description: |-
+ The OIDC resources to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ items:
+ type: string
+ type: array
scopes:
- description: The OIDC scopes to be used in the [Authentication
- Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
- The "openid" scope is always added to the list of scopes if
- not already specified.
+ description: |-
+ The OIDC scopes to be used in the
+ [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+ The "openid" scope is always added to the list of scopes if not already
+ specified.
items:
type: string
type: array
@@ -595,10 +3304,12 @@ spec:
- provider
type: object
targetRef:
- description: TargetRef is the name of the Gateway resource this policy
- is being attached to. This Policy and the TargetRef MUST be in the
- same namespace for this Policy to have effect and be applied to
- the Gateway.
+ description: |-
+ TargetRef is the name of the resource this policy is being attached to.
+ This policy and the TargetRef MUST be in the same namespace for this
+ Policy to have effect
+
+ Deprecated: use targetRefs/targetSelectors instead
properties:
group:
description: Group is the group of the target resource.
@@ -616,24 +3327,19 @@ spec:
maxLength: 253
minLength: 1
type: string
- namespace:
- description: Namespace is the namespace of the referent. When
- unspecified, the local namespace is inferred. Even when policy
- targets a resource in a different namespace, it MUST only apply
- to traffic originating from the same namespace as the policy.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
sectionName:
- description: "SectionName is the name of a section within the
- target resource. When unspecified, this targetRef targets the
- entire resource. In the following resources, SectionName is
- interpreted as the following: \n * Gateway: Listener Name *
- Service: Port Name \n If a SectionName is specified, but does
- not exist on the targeted object, the Policy must fail to attach,
- and the policy implementation should record a `ResolvedRefs`
- or similar Condition in the Policy's status."
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -643,183 +3349,318 @@ spec:
- kind
- name
type: object
- x-kubernetes-validations:
- - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
- rule: self.group == 'gateway.networking.k8s.io'
- - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
- rule: self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']
- - message: this policy does not yet support the sectionName field
- rule: '!has(self.sectionName)'
- required:
- - targetRef
+ targetRefs:
+ description: |-
+ TargetRefs are the names of the Gateway resources this policy
+ is being attached to.
+ items:
+ description: |-
+ LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a
+ direct policy to. This should be used as part of Policy resources that can
+ target single resources. For more information on how this policy attachment
+ mode works, and a sample Policy resource, refer to the policy attachment
+ documentation for Gateway API.
+
+ Note: This should only be used for direct policy attachment when references
+ to SectionName are actually needed. In all other cases,
+ LocalPolicyTargetReference should be used.
+ properties:
+ group:
+ description: Group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: Name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ sectionName:
+ description: |-
+ SectionName is the name of a section within the target resource. When
+ unspecified, this targetRef targets the entire resource. In the following
+ resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name
+ * HTTPRoute: HTTPRouteRule name
+ * Service: Port name
+
+ If a SectionName is specified, but does not exist on the targeted object,
+ the Policy must fail to attach, and the policy implementation should record
+ a `ResolvedRefs` or similar Condition in the Policy's status.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - group
+ - kind
+ - name
+ type: object
+ type: array
+ targetSelectors:
+ description: TargetSelectors allow targeting resources for this policy
+ based on labels
+ items:
+ properties:
+ group:
+ default: gateway.networking.k8s.io
+ description: Group is the group that this selector targets.
+ Defaults to gateway.networking.k8s.io
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: Kind is the resource kind that this selector targets.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: MatchLabels are the set of label selectors for
+ identifying the targeted resource
+ type: object
+ required:
+ - kind
+ - matchLabels
+ type: object
+ x-kubernetes-validations:
+ - message: group must be gateway.networking.k8s.io
+ rule: 'has(self.group) ? self.group == ''gateway.networking.k8s.io''
+ : true '
+ type: array
type: object
+ x-kubernetes-validations:
+ - message: either targetRef or targetRefs must be used
+ rule: '(has(self.targetRef) && !has(self.targetRefs)) || (!has(self.targetRef)
+ && has(self.targetRefs)) || (has(self.targetSelectors) && self.targetSelectors.size()
+ > 0) '
+ - message: this policy can only have a targetRef.group of gateway.networking.k8s.io
+ rule: 'has(self.targetRef) ? self.targetRef.group == ''gateway.networking.k8s.io''
+ : true'
+ - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute
+ rule: 'has(self.targetRef) ? self.targetRef.kind in [''Gateway'', ''HTTPRoute'',
+ ''GRPCRoute''] : true'
+ - message: this policy does not yet support the sectionName field
+ rule: 'has(self.targetRef) ? !has(self.targetRef.sectionName) : true'
+ - message: this policy can only have a targetRefs[*].group of gateway.networking.k8s.io
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.group ==
+ ''gateway.networking.k8s.io'') : true '
+ - message: this policy can only have a targetRefs[*].kind of Gateway/HTTPRoute/GRPCRoute
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, ref.kind in [''Gateway'',
+ ''HTTPRoute'', ''GRPCRoute'']) : true '
+ - message: this policy does not yet support the sectionName field
+ rule: 'has(self.targetRefs) ? self.targetRefs.all(ref, !has(ref.sectionName))
+ : true'
+ - message: if authorization.rules.principal.jwt is used, jwt must be defined
+ rule: '(has(self.authorization) && has(self.authorization.rules) &&
+ self.authorization.rules.exists(r, has(r.principal.jwt))) ? has(self.jwt)
+ : true'
status:
description: Status defines the current status of SecurityPolicy.
properties:
ancestors:
- description: "Ancestors is a list of ancestor resources (usually Gateways)
- that are associated with the policy, and the status of the policy
- with respect to each ancestor. When this policy attaches to a parent,
- the controller that manages the parent and the ancestors MUST add
- an entry to this list when the controller first sees the policy
- and SHOULD update the entry as appropriate when the relevant ancestor
- is modified. \n Note that choosing the relevant ancestor is left
- to the Policy designers; an important part of Policy design is designing
- the right object level at which to namespace this status. \n Note
- also that implementations MUST ONLY populate ancestor status for
- the Ancestor resources they are responsible for. Implementations
- MUST use the ControllerName field to uniquely identify the entries
- in this list that they are responsible for. \n Note that to achieve
- this, the list of PolicyAncestorStatus structs MUST be treated as
- a map with a composite key, made up of the AncestorRef and ControllerName
- fields combined. \n A maximum of 16 ancestors will be represented
- in this list. An empty list means the Policy is not relevant for
- any ancestors. \n If this slice is full, implementations MUST NOT
- add further entries. Instead they MUST consider the policy unimplementable
- and signal that on any related resources such as the ancestor that
- would be referenced here. For example, if this list was full on
- BackendTLSPolicy, no additional Gateways would be able to reference
- the Service targeted by the BackendTLSPolicy."
+ description: |-
+ Ancestors is a list of ancestor resources (usually Gateways) that are
+ associated with the policy, and the status of the policy with respect to
+ each ancestor. When this policy attaches to a parent, the controller that
+ manages the parent and the ancestors MUST add an entry to this list when
+ the controller first sees the policy and SHOULD update the entry as
+ appropriate when the relevant ancestor is modified.
+
+ Note that choosing the relevant ancestor is left to the Policy designers;
+ an important part of Policy design is designing the right object level at
+ which to namespace this status.
+
+ Note also that implementations MUST ONLY populate ancestor status for
+ the Ancestor resources they are responsible for. Implementations MUST
+ use the ControllerName field to uniquely identify the entries in this list
+ that they are responsible for.
+
+ Note that to achieve this, the list of PolicyAncestorStatus structs
+ MUST be treated as a map with a composite key, made up of the AncestorRef
+ and ControllerName fields combined.
+
+ A maximum of 16 ancestors will be represented in this list. An empty list
+ means the Policy is not relevant for any ancestors.
+
+ If this slice is full, implementations MUST NOT add further entries.
+ Instead they MUST consider the policy unimplementable and signal that
+ on any related resources such as the ancestor that would be referenced
+ here. For example, if this list was full on BackendTLSPolicy, no
+ additional Gateways would be able to reference the Service targeted by
+ the BackendTLSPolicy.
items:
- description: "PolicyAncestorStatus describes the status of a route
- with respect to an associated Ancestor. \n Ancestors refer to
- objects that are either the Target of a policy or above it in
- terms of object hierarchy. For example, if a policy targets a
- Service, the Policy's Ancestors are, in order, the Service, the
- HTTPRoute, the Gateway, and the GatewayClass. Almost always, in
- this hierarchy, the Gateway will be the most useful object to
- place Policy status on, so we recommend that implementations SHOULD
- use Gateway as the PolicyAncestorStatus object unless the designers
- have a _very_ good reason otherwise. \n In the context of policy
- attachment, the Ancestor is used to distinguish which resource
- results in a distinct application of this policy. For example,
- if a policy targets a Service, it may have a distinct result per
- attached Gateway. \n Policies targeting the same resource may
- have different effects depending on the ancestors of those resources.
- For example, different Gateways targeting the same Service may
- have different capabilities, especially if they have different
- underlying implementations. \n For example, in BackendTLSPolicy,
- the Policy attaches to a Service that is used as a backend in
- a HTTPRoute that is itself attached to a Gateway. In this case,
- the relevant object for status is the Gateway, and that is the
- ancestor object referred to in this status. \n Note that a parent
- is also an ancestor, so for objects where the parent is the relevant
- object for status, this struct SHOULD still be used. \n This struct
- is intended to be used in a slice that's effectively a map, with
- a composite key made up of the AncestorRef and the ControllerName."
+ description: |-
+ PolicyAncestorStatus describes the status of a route with respect to an
+ associated Ancestor.
+
+ Ancestors refer to objects that are either the Target of a policy or above it
+ in terms of object hierarchy. For example, if a policy targets a Service, the
+ Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and
+ the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most
+ useful object to place Policy status on, so we recommend that implementations
+ SHOULD use Gateway as the PolicyAncestorStatus object unless the designers
+ have a _very_ good reason otherwise.
+
+ In the context of policy attachment, the Ancestor is used to distinguish which
+ resource results in a distinct application of this policy. For example, if a policy
+ targets a Service, it may have a distinct result per attached Gateway.
+
+ Policies targeting the same resource may have different effects depending on the
+ ancestors of those resources. For example, different Gateways targeting the same
+ Service may have different capabilities, especially if they have different underlying
+ implementations.
+
+ For example, in BackendTLSPolicy, the Policy attaches to a Service that is
+ used as a backend in a HTTPRoute that is itself attached to a Gateway.
+ In this case, the relevant object for status is the Gateway, and that is the
+ ancestor object referred to in this status.
+
+ Note that a parent is also an ancestor, so for objects where the parent is the
+ relevant object for status, this struct SHOULD still be used.
+
+ This struct is intended to be used in a slice that's effectively a map,
+ with a composite key made up of the AncestorRef and the ControllerName.
properties:
ancestorRef:
- description: AncestorRef corresponds with a ParentRef in the
- spec that this PolicyAncestorStatus struct describes the status
- of.
+ description: |-
+ AncestorRef corresponds with a ParentRef in the spec that this
+ PolicyAncestorStatus struct describes the status of.
properties:
group:
default: gateway.networking.k8s.io
- description: "Group is the group of the referent. When unspecified,
- \"gateway.networking.k8s.io\" is inferred. To set the
- core API group (such as for a \"Service\" kind referent),
- Group must be explicitly set to \"\" (empty string). \n
- Support: Core"
+ description: |-
+ Group is the group of the referent.
+ When unspecified, "gateway.networking.k8s.io" is inferred.
+ To set the core API group (such as for a "Service" kind referent),
+ Group must be explicitly set to "" (empty string).
+
+ Support: Core
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Gateway
- description: "Kind is kind of the referent. \n There are
- two kinds of parent resources with \"Core\" support: \n
- * Gateway (Gateway conformance profile) * Service (Mesh
- conformance profile, experimental, ClusterIP Services
- only) \n Support for other resources is Implementation-Specific."
+ description: |-
+ Kind is kind of the referent.
+
+ There are two kinds of parent resources with "Core" support:
+
+ * Gateway (Gateway conformance profile)
+ * Service (Mesh conformance profile, ClusterIP Services only)
+
+ Support for other resources is Implementation-Specific.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
- description: "Name is the name of the referent. \n Support:
- Core"
+ description: |-
+ Name is the name of the referent.
+
+ Support: Core
maxLength: 253
minLength: 1
type: string
namespace:
- description: "Namespace is the namespace of the referent.
- When unspecified, this refers to the local namespace of
- the Route. \n Note that there are specific rules for ParentRefs
- which cross namespace boundaries. Cross-namespace references
- are only valid if they are explicitly allowed by something
- in the namespace they are referring to. For example: Gateway
- has the AllowedRoutes field, and ReferenceGrant provides
- a generic way to enable any other kind of cross-namespace
- reference. \n ParentRefs
- from a Route to a Service in the same namespace are \"producer\"
- routes, which apply default routing rules to inbound connections
- from any namespace to the Service. \n ParentRefs from
- a Route to a Service in a different namespace are \"consumer\"
- routes, and these routing rules are only applied to outbound
- connections originating from the same namespace as the
- Route, for which the intended destination of the connections
- are a Service targeted as a ParentRef of the Route.
- \n Support: Core"
+ description: |-
+ Namespace is the namespace of the referent. When unspecified, this refers
+ to the local namespace of the Route.
+
+ Note that there are specific rules for ParentRefs which cross namespace
+ boundaries. Cross-namespace references are only valid if they are explicitly
+ allowed by something in the namespace they are referring to. For example:
+ Gateway has the AllowedRoutes field, and ReferenceGrant provides a
+ generic way to enable any other kind of cross-namespace reference.
+
+
+ ParentRefs from a Route to a Service in the same namespace are "producer"
+ routes, which apply default routing rules to inbound connections from
+ any namespace to the Service.
+
+ ParentRefs from a Route to a Service in a different namespace are
+ "consumer" routes, and these routing rules are only applied to outbound
+ connections originating from the same namespace as the Route, for which
+ the intended destination of the connections are a Service targeted as a
+ ParentRef of the Route.
+
+
+ Support: Core
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
- description: "Port is the network port this Route targets.
- It can be interpreted differently based on the type of
- parent resource. \n When the parent resource is a Gateway,
- this targets all listeners listening on the specified
- port that also support this kind of Route(and select this
- Route). It's not recommended to set `Port` unless the
- networking behaviors specified in a Route must apply to
- a specific port as opposed to a listener(s) whose port(s)
- may be changed. When both Port and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. \n
- When the parent resource is a Service, this targets a
- specific port in the Service spec. When both Port (experimental)
- and SectionName are specified, the name and port of the
- selected port must match both specified values.
- \n Implementations MAY choose to support other parent
- resources. Implementations supporting other types of parent
- resources MUST clearly document how/if Port is interpreted.
- \n For the purpose of status, an attachment is considered
- successful as long as the parent resource accepts it partially.
- For example, Gateway listeners can restrict which Routes
- can attach to them by Route kind, namespace, or hostname.
- If 1 of 2 Gateway listeners accept attachment from the
- referencing Route, the Route MUST be considered successfully
- attached. If no Gateway listeners accept attachment from
- this Route, the Route MUST be considered detached from
- the Gateway. \n Support: Extended \n "
+ description: |-
+ Port is the network port this Route targets. It can be interpreted
+ differently based on the type of parent resource.
+
+ When the parent resource is a Gateway, this targets all listeners
+ listening on the specified port that also support this kind of Route(and
+ select this Route). It's not recommended to set `Port` unless the
+ networking behaviors specified in a Route must apply to a specific port
+ as opposed to a listener(s) whose port(s) may be changed. When both Port
+ and SectionName are specified, the name and port of the selected listener
+ must match both specified values.
+
+
+ When the parent resource is a Service, this targets a specific port in the
+ Service spec. When both Port (experimental) and SectionName are specified,
+ the name and port of the selected port must match both specified values.
+
+
+ Implementations MAY choose to support other parent resources.
+ Implementations supporting other types of parent resources MUST clearly
+ document how/if Port is interpreted.
+
+ For the purpose of status, an attachment is considered successful as
+ long as the parent resource accepts it partially. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment
+ from the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route,
+ the Route MUST be considered detached from the Gateway.
+
+ Support: Extended
format: int32
maximum: 65535
minimum: 1
type: integer
sectionName:
- description: "SectionName is the name of a section within
- the target resource. In the following resources, SectionName
- is interpreted as the following: \n * Gateway: Listener
- Name. When both Port (experimental) and SectionName are
- specified, the name and port of the selected listener
- must match both specified values. * Service: Port Name.
- When both Port (experimental) and SectionName are specified,
- the name and port of the selected listener must match
- both specified values. Note that attaching Routes to Services
- as Parents is part of experimental Mesh support and is
- not supported for any other purpose. \n Implementations
- MAY choose to support attaching Routes to other resources.
- If that is the case, they MUST clearly document how SectionName
- is interpreted. \n When unspecified (empty string), this
- will reference the entire resource. For the purpose of
- status, an attachment is considered successful if at least
- one section in the parent resource accepts it. For example,
- Gateway listeners can restrict which Routes can attach
- to them by Route kind, namespace, or hostname. If 1 of
- 2 Gateway listeners accept attachment from the referencing
- Route, the Route MUST be considered successfully attached.
- If no Gateway listeners accept attachment from this Route,
- the Route MUST be considered detached from the Gateway.
- \n Support: Core"
+ description: |-
+ SectionName is the name of a section within the target resource. In the
+ following resources, SectionName is interpreted as the following:
+
+ * Gateway: Listener name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+ * Service: Port name. When both Port (experimental) and SectionName
+ are specified, the name and port of the selected listener must match
+ both specified values.
+
+ Implementations MAY choose to support attaching Routes to other resources.
+ If that is the case, they MUST clearly document how SectionName is
+ interpreted.
+
+ When unspecified (empty string), this will reference the entire resource.
+ For the purpose of status, an attachment is considered successful if at
+ least one section in the parent resource accepts it. For example, Gateway
+ listeners can restrict which Routes can attach to them by Route kind,
+ namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from
+ the referencing Route, the Route MUST be considered successfully
+ attached. If no Gateway listeners accept attachment from this Route, the
+ Route MUST be considered detached from the Gateway.
+
+ Support: Core
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
@@ -831,47 +3672,36 @@ spec:
description: Conditions describes the status of the Policy with
respect to the given Ancestor.
items:
- description: "Condition contains details for one aspect of
- the current state of this API Resource. --- This struct
- is intended for direct use as an array at the field path
- .status.conditions. For example, \n type FooStatus struct{
- // Represents the observations of a foo's current state.
- // Known .status.conditions.type are: \"Available\", \"Progressing\",
- and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
- // +listType=map // +listMapKey=type Conditions []metav1.Condition
- `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
- protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields
- }"
+ description: Condition contains details for one aspect of
+ the current state of this API Resource.
properties:
lastTransitionTime:
- description: lastTransitionTime is the last time the condition
- transitioned from one status to another. This should
- be when the underlying condition changed. If that is
- not known, then using the time when the API field changed
- is acceptable.
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
- description: message is a human readable message indicating
- details about the transition. This may be an empty string.
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
- description: observedGeneration represents the .metadata.generation
- that the condition was set based upon. For instance,
- if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration
- is 9, the condition is out of date with respect to the
- current state of the instance.
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
- description: reason contains a programmatic identifier
- indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected
- values and meanings for this field, and whether the
- values are considered a guaranteed API. The value should
- be a CamelCase string. This field may not be empty.
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
@@ -886,11 +3716,6 @@ spec:
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
- --- Many .condition.type values are consistent across
- resources like Available, but because arbitrary conditions
- can be useful (see .node.status.conditions), the ability
- to deconflict is important. The regex it matches is
- (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
@@ -908,16 +3733,20 @@ spec:
- type
x-kubernetes-list-type: map
controllerName:
- description: "ControllerName is a domain/path string that indicates
- the name of the controller that wrote this status. This corresponds
- with the controllerName field on GatewayClass. \n Example:
- \"example.net/gateway-controller\". \n The format of this
- field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid
- Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
- \n Controllers MUST populate this field when writing status.
- Controllers should ensure that entries to status populated
- with their ControllerName are cleaned up when they are no
- longer necessary."
+ description: |-
+ ControllerName is a domain/path string that indicates the name of the
+ controller that wrote this status. This corresponds with the
+ controllerName field on GatewayClass.
+
+ Example: "example.net/gateway-controller".
+
+ The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are
+ valid Kubernetes names
+ (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ Controllers MUST populate this field when writing status. Controllers should ensure that
+ entries to status populated with their ControllerName are cleaned up when they are no
+ longer necessary.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
diff --git a/helm/envoy-gateway/templates/NOTES.txt b/helm/envoy-gateway/templates/NOTES.txt
index e002d40..595c49b 100644
--- a/helm/envoy-gateway/templates/NOTES.txt
+++ b/helm/envoy-gateway/templates/NOTES.txt
@@ -15,6 +15,6 @@ To learn more about the release, try:
$ helm status {{ .Release.Name }} -n {{ .Release.Namespace }}
$ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }}
-To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/user/quickstart.
+To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/tasks/quickstart.
To get more details, please visit https://gateway.envoyproxy.io and https://github.com/envoyproxy/gateway.
diff --git a/helm/envoy-gateway/templates/_helpers.tpl b/helm/envoy-gateway/templates/_helpers.tpl
index 105a0cc..2645585 100644
--- a/helm/envoy-gateway/templates/_helpers.tpl
+++ b/helm/envoy-gateway/templates/_helpers.tpl
@@ -61,3 +61,72 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+The name of the Envoy Gateway image.
+*/}}
+{{- define "eg.image" -}}
+{{- if .Values.image.registry }}
+{{- .Values.image.registry }}/{{- .Values.image.repository }}/{{- .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
+{{- else if .Values.global.images.envoyGateway.image }}
+{{- .Values.global.images.envoyGateway.image }}
+{{- else }}
+docker.io/envoyproxy/gateway:{{ .Chart.Version }}
+{{- end }}
+{{- end }}
+
+{{/*
+Pull policy for the Envoy Gateway image.
+*/}}
+{{- define "eg.image.pullPolicy" -}}
+{{ .Values.deployment.envoyGateway.imagePullPolicy | default .Values.global.images.envoyGateway.pullPolicy | default "IfNotPresent" }}
+{{- end }}
+
+{{/*
+Pull secrets for the Envoy Gateway image.
+*/}}
+{{- define "eg.image.pullSecrets" -}}
+{{- if .Values.deployment.envoyGateway.imagePullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.deployment.envoyGateway.imagePullSecrets }}
+{{- else if .Values.global.images.envoyGateway.pullSecrets -}}
+imagePullSecrets:
+{{ toYaml .Values.global.images.envoyGateway.pullSecrets }}
+{{- else -}}
+imagePullSecrets: []
+{{- end }}
+{{- end }}
+
+{{/*
+The default Envoy Gateway configuration.
+*/}}
+{{- define "eg.default-envoy-gateway-config" -}}
+provider:
+ type: Kubernetes
+ kubernetes:
+ rateLimitDeployment:
+ container:
+ {{- if .Values.global.images.ratelimit.image }}
+ image: {{ .Values.global.images.ratelimit.image }}
+ {{- else }}
+ image: "docker.io/envoyproxy/ratelimit:master"
+ {{- end }}
+ {{- with .Values.global.images.ratelimit.pullSecrets }}
+ pod:
+ imagePullSecrets:
+ {{- toYaml . | nindent 10 }}
+ {{- end }}
+ {{- with .Values.global.images.ratelimit.pullPolicy }}
+ patch:
+ type: StrategicMerge
+ value:
+ spec:
+ template:
+ spec:
+ containers:
+ - name: envoy-ratelimit
+ imagePullPolicy: {{ . }}
+ {{- end }}
+ shutdownManager:
+ image: {{ include "eg.image" . }}
+{{- end }}
diff --git a/helm/envoy-gateway/templates/_rbac.tpl b/helm/envoy-gateway/templates/_rbac.tpl
index 104f5f0..52a5648 100644
--- a/helm/envoy-gateway/templates/_rbac.tpl
+++ b/helm/envoy-gateway/templates/_rbac.tpl
@@ -43,6 +43,7 @@ apiGroups:
- apps
resources:
- deployments
+- daemonsets
verbs:
- get
- list
@@ -69,6 +70,9 @@ resources:
- clienttrafficpolicies
- backendtrafficpolicies
- securitypolicies
+- envoyextensionpolicies
+- backends
+- httproutefilters
verbs:
- get
- list
@@ -83,6 +87,8 @@ resources:
- clienttrafficpolicies/status
- backendtrafficpolicies/status
- securitypolicies/status
+- envoyextensionpolicies/status
+- backends/status
verbs:
- update
{{- end }}
diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
new file mode 100644
index 0000000..2af4f5c
--- /dev/null
+++ b/helm/envoy-gateway/templates/certgen-cnp.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "eg.fullname" . }}-certgen
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": "pre-install,pre-upgrade"
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": "before-hook-creation"
+ labels:
+ app.kubernetes.io/component: "certgen"
+ {{- include "eg.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ app.kubernetes.io/component: "certgen"
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+ egress:
+ - toEntities:
+ - kube-apiserver
+ - toEndpoints:
+ - matchLabels:
+ k8s:io.kubernetes.pod.namespace: default
+ k8s:k8s-app: kubernetes
+ toPorts:
+ - ports:
+ - port: "443"
+ protocol: TCP
+ - toEndpoints:
+ - matchLabels:
+ k8s:component: kube-apiserver
+ k8s:tier: control-plane
+ - toEndpoints:
+ - matchLabels:
+ k8s:io.kubernetes.pod.namespace: kube-system
+ k8s:k8s-app: kube-dns
+ toPorts:
+ - ports:
+ - port: "53"
+ protocol: UDP
+ - port: "53"
+ protocol: TCP
diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
new file mode 100644
index 0000000..0e9f09a
--- /dev/null
+++ b/helm/envoy-gateway/templates/certgen-netpol.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "eg.fullname" . }}-certgen
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": "pre-install,pre-upgrade"
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": "before-hook-creation"
+ labels:
+ app.kubernetes.io/component: "certgen"
+ {{- include "eg.labels" . | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/component: "certgen"
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector: {}
+ podSelector:
+ matchLabels:
+ component: kube-apiserver
+ tier: control-plane
+ - to:
+ - ipBlock:
+ cidr: 172.31.0.1/32
+ ports:
+ - port: 443
+ protocol: TCP
+ - ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ to:
+ - namespaceSelector: {}
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
diff --git a/helm/envoy-gateway/templates/certgen.yaml b/helm/envoy-gateway/templates/certgen.yaml
index 85750a9..f98c414 100644
--- a/helm/envoy-gateway/templates/certgen.yaml
+++ b/helm/envoy-gateway/templates/certgen.yaml
@@ -31,30 +31,29 @@ spec:
fieldPath: metadata.namespace
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ .Values.kubernetesClusterDomain }}
- image: {{ printf "%s/%s" .Values.image.registry .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
- imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
+ image: {{ include "eg.image" . }}
+ imagePullPolicy: {{ include "eg.image.pullPolicy" . }}
name: envoy-gateway-certgen
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
{{- with .Values.certgen.job.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
- {{- with .Values.deployment.envoyGateway.imagePullSecrets }}
- imagePullSecrets:
+ securityContext:
+ {{- toYaml .Values.certgen.job.securityContext | nindent 10 }}
+ {{- include "eg.image.pullSecrets" . | nindent 6 }}
+ {{- with .Values.certgen.job.affinity }}
+ affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.certgen.job.nodeSelector }}
+ nodeSelector:
+ {{ toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certgen.job.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
restartPolicy: Never
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
serviceAccountName: {{ include "eg.fullname" . }}-certgen
{{- if not ( kindIs "invalid" .Values.certgen.job.ttlSecondsAfterFinished) }}
ttlSecondsAfterFinished: {{ .Values.certgen.job.ttlSecondsAfterFinished }}
diff --git a/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
new file mode 100644
index 0000000..a44b6ee
--- /dev/null
+++ b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
@@ -0,0 +1,41 @@
+---
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+metadata:
+ name: {{ include "eg.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": "pre-install,pre-upgrade"
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": "before-hook-creation"
+ labels:
+ control-plane: envoy-gateway
+ {{- include "eg.labels" . | nindent 4 }}
+spec:
+ endpointSelector:
+ matchLabels:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+ egress:
+ - toEntities:
+ - kube-apiserver
+ - cluster
+ - toEndpoints:
+ - matchLabels:
+ k8s:io.kubernetes.pod.namespace: kube-system
+ k8s-app: kube-dns
+ toPorts:
+ - ports:
+ - port: "53"
+ protocol: UDP
+ - port: "53"
+ protocol: TCP
+ ingress:
+ - fromEntities:
+ - cluster
+ toPorts:
+ - ports:
+ {{- range .Values.deployment.envoyGateway.ports }}
+ - port: {{ printf "\"%d\"" .port }}
+ protocol: TCP
+ {{- end }}
diff --git a/helm/envoy-gateway/templates/envoy-gateway-config.yaml b/helm/envoy-gateway/templates/envoy-gateway-config.yaml
index b57b672..8fc1d2d 100644
--- a/helm/envoy-gateway/templates/envoy-gateway-config.yaml
+++ b/helm/envoy-gateway/templates/envoy-gateway-config.yaml
@@ -9,4 +9,7 @@ data:
envoy-gateway.yaml: |
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
- {{- toYaml .Values.config.envoyGateway | nindent 4 }}
+ {{- $baseEnvoyGatewayConfig := include "eg.default-envoy-gateway-config" . | fromYaml }}
+ {{- $userEnvoyGatewayConfig := .Values.config.envoyGateway }}
+ {{- $mergedEnvoyGatewayConfig := merge $userEnvoyGatewayConfig $baseEnvoyGatewayConfig }}
+ {{- toYaml $mergedEnvoyGatewayConfig | nindent 4 }}
diff --git a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
index ecc12fa..7746dd2 100644
--- a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
+++ b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
@@ -1,11 +1,3 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: envoy-gateway
- namespace: '{{ .Release.Namespace }}'
- labels:
- {{- include "eg.labels" . | nindent 4 }}
----
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -37,6 +29,18 @@ spec:
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- with .Values.deployment.pod.nodeSelector }}
+ nodeSelector:
+ {{ toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.deployment.pod.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with .Values.deployment.pod.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
containers:
- args:
- server
@@ -49,8 +53,8 @@ spec:
fieldPath: metadata.namespace
- name: KUBERNETES_CLUSTER_DOMAIN
value: {{ .Values.kubernetesClusterDomain }}
- image: {{ printf "%s/%s" .Values.image.registry .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
- imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
+ image: {{ include "eg.image" . }}
+ imagePullPolicy: {{ include "eg.image.pullPolicy" . }}
livenessProbe:
httpGet:
path: /healthz
@@ -63,21 +67,16 @@ spec:
- containerPort: {{ .port }}
name: {{ .name }}
{{- end}}
- - containerPort: 19001
- name: http-metrics
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
- resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
+ resources:
+ {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- readOnlyRootFilesystem: true
+ {{- toYaml .Values.deployment.envoyGateway.securityContext | nindent 10 }}
volumeMounts:
- mountPath: /config
name: envoy-gateway-config
@@ -85,16 +84,10 @@ spec:
- mountPath: /certs
name: certs
readOnly: true
- {{- with .Values.deployment.envoyGateway.imagePullSecrets }}
- imagePullSecrets:
- {{- toYaml . | nindent 8 }}
+ {{- include "eg.image.pullSecrets" . | nindent 6 }}
+ {{- with .Values.deployment.priorityClassName }}
+ priorityClassName: {{ . | quote }}
{{- end }}
- securityContext:
- runAsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- seccompProfile:
- type: RuntimeDefault
serviceAccountName: envoy-gateway
terminationGracePeriodSeconds: 10
volumes:
diff --git a/helm/envoy-gateway/templates/envoy-gateway-metrics-service.yaml b/helm/envoy-gateway/templates/envoy-gateway-metrics-service.yaml
deleted file mode 100644
index da17559..0000000
--- a/helm/envoy-gateway/templates/envoy-gateway-metrics-service.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- annotations:
- prometheus.io/scrape: 'true'
- prometheus.io/port: '19001'
- name: envoy-gateway-metrics-service
- namespace: '{{ .Release.Namespace }}'
- labels:
- control-plane: envoy-gateway
- {{- include "eg.labels" . | nindent 4 }}
-spec:
- selector:
- control-plane: envoy-gateway
- {{- include "eg.selectorLabels" . | nindent 4 }}
- ports:
- - name: http
- port: {{ .Values.envoyGatewayMetricsService.port }}
- protocol: TCP
- targetPort: http-metrics
diff --git a/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
new file mode 100644
index 0000000..9d9049d
--- /dev/null
+++ b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: {{ include "eg.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": "pre-install,pre-upgrade"
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": "before-hook-creation"
+ labels:
+ control-plane: envoy-gateway
+ {{- include "eg.labels" . | nindent 4 }}
+spec:
+ podSelector:
+ matchLabels:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+ policyTypes:
+ - Ingress
+ - Egress
+ egress:
+ - to:
+ - namespaceSelector: {}
+ podSelector:
+ matchLabels:
+ k8s-app: kube-apiserver
+ - to:
+ - namespaceSelector: {}
+ podSelector:
+ matchLabels:
+ k8s-app: kube-dns
+ ports:
+ - port: 53
+ protocol: UDP
+ - port: 53
+ protocol: TCP
+ ingress:
+ - ports:
+ {{- range .Values.deployment.envoyGateway.ports }}
+ - port: {{ .port }}
+ protocol: TCP
+ {{- end }}
+ from:
+ - namespaceSelector: {}
diff --git a/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml b/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml
new file mode 100644
index 0000000..8e0bca0
--- /dev/null
+++ b/helm/envoy-gateway/templates/envoy-gateway-poddisruptionbudget.yaml
@@ -0,0 +1,18 @@
+{{- if or (and .Values.podDisruptionBudget.minAvailable (ge (int .Values.podDisruptionBudget.minAvailable) 1) ) (and .Values.podDisruptionBudget.maxUnavailable (ge (int .Values.podDisruptionBudget.maxUnavailable) 1) )}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+spec:
+ {{- if and .Values.podDisruptionBudget.minAvailable }}
+ minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+ {{- end }}
+ {{- if .Values.podDisruptionBudget.maxUnavailable }}
+ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+ {{- end }}
+ selector:
+ matchLabels:
+ control-plane: envoy-gateway
+ {{- include "eg.selectorLabels" . | nindent 6 }}
+{{- end }}
\ No newline at end of file
diff --git a/helm/envoy-gateway/templates/envoy-gateway-service.yaml b/helm/envoy-gateway/templates/envoy-gateway-service.yaml
index b9dd4cd..39b30ea 100644
--- a/helm/envoy-gateway/templates/envoy-gateway-service.yaml
+++ b/helm/envoy-gateway/templates/envoy-gateway-service.yaml
@@ -3,6 +3,10 @@ kind: Service
metadata:
name: envoy-gateway
namespace: '{{ .Release.Namespace }}'
+ {{- with .Values.service.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
labels:
control-plane: envoy-gateway
{{- include "eg.labels" . | nindent 4 }}
@@ -11,4 +15,4 @@ spec:
control-plane: envoy-gateway
{{- include "eg.selectorLabels" . | nindent 4 }}
ports:
- {{- .Values.deployment.ports | toYaml | nindent 2 -}}
+ {{- .Values.deployment.ports | toYaml | nindent 2 -}}
diff --git a/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml b/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml
new file mode 100644
index 0000000..23af6fe
--- /dev/null
+++ b/helm/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: envoy-gateway
+ namespace: '{{ .Release.Namespace }}'
+ labels:
+ {{- include "eg.labels" . | nindent 4 }}
diff --git a/helm/envoy-gateway/templates/infra-manager-rbac.yaml b/helm/envoy-gateway/templates/infra-manager-rbac.yaml
index ad8aa5e..74c0ec6 100644
--- a/helm/envoy-gateway/templates/infra-manager-rbac.yaml
+++ b/helm/envoy-gateway/templates/infra-manager-rbac.yaml
@@ -11,28 +11,35 @@ rules:
resources:
- serviceaccounts
- services
+ - configmaps
verbs:
- create
- get
- delete
+ - deletecollection
- patch
- apiGroups:
- apps
resources:
- deployments
+ - daemonsets
verbs:
- create
- get
- delete
+ - deletecollection
- patch
- apiGroups:
- autoscaling
+ - policy
resources:
- horizontalpodautoscalers
+ - poddisruptionbudgets
verbs:
- create
- get
- delete
+ - deletecollection
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
diff --git a/helm/envoy-gateway/templates/namespace.yaml b/helm/envoy-gateway/templates/namespace.yaml
index 0361b22..c68c79a 100644
--- a/helm/envoy-gateway/templates/namespace.yaml
+++ b/helm/envoy-gateway/templates/namespace.yaml
@@ -2,5 +2,5 @@
apiVersion: v1
kind: Namespace
metadata:
- name: '{{ .Release.Namespace }}'
-{{ end }}
+ name: '{{ .Values.namespace }}'
+{{ end }}
diff --git a/helm/envoy-gateway/values.schema.json b/helm/envoy-gateway/values.schema.json
index f04b004..ca9733c 100644
--- a/helm/envoy-gateway/values.schema.json
+++ b/helm/envoy-gateway/values.schema.json
@@ -8,9 +8,15 @@
"job": {
"type": "object",
"properties": {
+ "affinity": {
+ "type": "object"
+ },
"annotations": {
"type": "object"
},
+ "nodeSelector": {
+ "type": "object"
+ },
"resources": {
"type": "object",
"properties": {
@@ -35,6 +41,51 @@
}
}
},
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "type": "object",
+ "properties": {
+ "drop": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seccompProfile": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ },
"ttlSecondsAfterFinished": {
"type": "integer"
}
@@ -124,9 +175,6 @@
"limits": {
"type": "object",
"properties": {
- "cpu": {
- "type": "string"
- },
"memory": {
"type": "string"
}
@@ -144,6 +192,48 @@
}
}
}
+ },
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "type": "object",
+ "properties": {
+ "drop": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "seccompProfile": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ }
+ }
+ }
}
}
},
@@ -154,10 +244,27 @@
"type": "object"
},
"annotations": {
- "type": "object"
+ "type": "object",
+ "properties": {
+ "prometheus.io/port": {
+ "type": "string"
+ },
+ "prometheus.io/scrape": {
+ "type": "string"
+ }
+ }
},
"labels": {
"type": "object"
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
}
}
},
@@ -178,16 +285,49 @@
}
}
},
+ "priorityClassName": {
+ "type": "null"
+ },
"replicas": {
"type": "integer"
}
}
},
- "envoyGatewayMetricsService": {
+ "global": {
"type": "object",
"properties": {
- "port": {
- "type": "integer"
+ "images": {
+ "type": "object",
+ "properties": {
+ "envoyGateway": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "pullSecrets": {
+ "type": "array"
+ }
+ }
+ },
+ "ratelimit": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "pullSecrets": {
+ "type": "array"
+ }
+ }
+ }
+ }
}
}
},
@@ -201,6 +341,22 @@
},
"kubernetesClusterDomain": {
"type": "string"
+ },
+ "podDisruptionBudget": {
+ "type": "object",
+ "properties": {
+ "minAvailable": {
+ "type": "integer"
+ }
+ }
+ },
+ "service": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ }
+ }
}
}
}
diff --git a/helm/envoy-gateway/values.yaml b/helm/envoy-gateway/values.yaml
index a721781..b81476e 100644
--- a/helm/envoy-gateway/values.yaml
+++ b/helm/envoy-gateway/values.yaml
@@ -1,20 +1,61 @@
+# The global settings for the Envoy Gateway Helm chart.
+# These values will be used if the values are not overridden in the other sections.
+global:
+ images:
+ envoyGateway:
+ # This is the full image name including the hub, repo, and tag.
+ image: docker.io/envoyproxy/gateway:v1.2.1
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
+ ratelimit:
+ # This is the full image name including the hub, repo, and tag.
+ image: "docker.io/envoyproxy/ratelimit:master"
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
+
+name: envoy-gateway
+namespace: envoy-gateway-system
+serviceType: managed
+
+podDisruptionBudget:
+ minAvailable: 0
+ # maxUnavailable: 1
+
image:
registry: gsoci.azurecr.io
+ repository: giantswarm
deployment:
envoyGateway:
image:
name: envoyproxy-gateway
- tag: 'v1.0.2'
- imagePullPolicy: Always
+ tag: 'v1.2.1'
+ imagePullPolicy: ""
imagePullSecrets: []
resources:
limits:
- cpu: 500m
memory: 1024Mi
requests:
cpu: 100m
memory: 256Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ runAsNonRoot: true
+ runAsGroup: 65532
+ runAsUser: 65532
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
ports:
- name: grpc
port: 18000
@@ -22,11 +63,26 @@ deployment:
- name: ratelimit
port: 18001
targetPort: 18001
+ - name: wasm
+ port: 18002
+ targetPort: 18002
+ - name: metrics
+ port: 19001
+ targetPort: 19001
+ priorityClassName: null
replicas: 1
pod:
affinity: {}
- annotations: {}
+ annotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '19001'
labels: {}
+ topologySpreadConstraints: []
+ tolerations: []
+ nodeSelector: {}
+
+service:
+ annotations: {}
config:
envoyGateway:
@@ -38,9 +94,6 @@ config:
level:
default: info
-envoyGatewayMetricsService:
- port: 19001
-
createNamespace: false
kubernetesClusterDomain: cluster.local
@@ -54,7 +107,22 @@ certgen:
memory: 100Mi
limits:
memory: 500Mi
- ttlSecondsAfterFinished: 0
+ affinity: {}
+ tolerations: []
+ nodeSelector: {}
+ ttlSecondsAfterFinished: 30
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsGroup: 65534
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
rbac:
annotations: {}
labels: {}
diff --git a/sync/patches/image-registry/000-image-registry.patch b/sync/patches/image-registry/000-image-registry.patch
index 171bd8e..9232534 100644
--- a/sync/patches/image-registry/000-image-registry.patch
+++ b/sync/patches/image-registry/000-image-registry.patch
@@ -1,52 +1,15 @@
-diff --git a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
-index 1ee5c7f..8dd1100 100644
---- a/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
-+++ b/helm/envoy-gateway/templates/envoy-gateway-deployment.yaml
-@@ -49,7 +49,7 @@ spec:
- fieldPath: metadata.namespace
- - name: KUBERNETES_CLUSTER_DOMAIN
- value: {{ .Values.kubernetesClusterDomain }}
-- image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
-+ image: {{ printf "%s/%s" .Values.image.registry .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
- imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
- livenessProbe:
- httpGet:
-@@ -71,8 +71,7 @@ spec:
- port: 8081
- initialDelaySeconds: 5
- periodSeconds: 10
-- resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10
-- }}
-+ resources: {{- toYaml .Values.deployment.envoyGateway.resources | nindent 10 }}
- securityContext:
- allowPrivilegeEscalation: false
- volumeMounts:
-diff --git a/helm/envoy-gateway/templates/certgen.yaml b/helm/envoy-gateway/templates/certgen.yaml
-index 78d5ec2..48dbd28 100644
---- a/helm/envoy-gateway/templates/certgen.yaml
-+++ b/helm/envoy-gateway/templates/certgen.yaml
-@@ -31,7 +31,7 @@ spec:
- fieldPath: metadata.namespace
- - name: KUBERNETES_CLUSTER_DOMAIN
- value: {{ .Values.kubernetesClusterDomain }}
-- image: {{ .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
-+ image: {{ printf "%s/%s" .Values.image.registry .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
- imagePullPolicy: {{ .Values.deployment.envoyGateway.imagePullPolicy }}
- name: envoy-gateway-certgen
- {{- with .Values.certgen.job.resources }}
-diff --git a/helm/envoy-gateway/values.yaml b/helm/envoy-gateway/values.yaml
-index 5ae25f3..8b7f212 100644
---- a/helm/envoy-gateway/values.yaml
-+++ b/helm/envoy-gateway/values.yaml
-@@ -1,7 +1,10 @@
-+image:
-+ registry: gsoci.azurecr.io
-+
- deployment:
- envoyGateway:
- image:
-- repository: docker.io/envoyproxy/gateway
-+ name: envoyproxy-gateway
- tag: 'v1.0.2'
- imagePullPolicy: Always
- imagePullSecrets: []
+diff --git a/helm/envoy-gateway/templates/_helpers.tpl b/helm/envoy-gateway/templates/_helpers.tpl
+index d9aefc2..cdadc41 100644
+--- a/helm/envoy-gateway/templates/_helpers.tpl
++++ b/helm/envoy-gateway/templates/_helpers.tpl
+@@ -65,8 +66,8 @@ Create the name of the service account to use
+ The name of the Envoy Gateway image.
+ */}}
+ {{- define "eg.image" -}}
+-{{- if .Values.deployment.envoyGateway.image.repository }}
+-{{- .Values.deployment.envoyGateway.image.repository }}:{{ .Values.deployment.envoyGateway.image.tag | default .Values.global.images.envoyGateway.tag | default .Chart.AppVersion }}
++{{- if .Values.image.registry }}
++{{- .Values.image.registry }}/{{- .Values.image.repository }}/{{- .Values.deployment.envoyGateway.image.name }}:{{ .Values.deployment.envoyGateway.image.tag | default .Chart.AppVersion }}
+ {{- else if .Values.global.images.envoyGateway.image }}
+ {{- .Values.global.images.envoyGateway.image }}
+ {{- else }}
diff --git a/sync/patches/namespace-values/000-namespace-values.patch b/sync/patches/namespace-values/000-namespace-values.patch
new file mode 100644
index 0000000..ef8ce17
--- /dev/null
+++ b/sync/patches/namespace-values/000-namespace-values.patch
@@ -0,0 +1,12 @@
+diff --git b/vendor/gateway-helm/templates/namespace.yaml a/helm/envoy-gateway/templates/namespace.yaml
+index 0361b22..c68c79a 100644
+--- b/vendor/gateway-helm/templates/namespace.yaml
++++ a/helm/envoy-gateway/templates/namespace.yaml
+@@ -2,5 +2,5 @@
+ apiVersion: v1
+ kind: Namespace
+ metadata:
+- name: '{{ .Release.Namespace }}'
+-{{ end }}
++ name: '{{ .Values.namespace }}'
++{{ end }}
diff --git a/sync/patches/namespace-values/patch.sh b/sync/patches/namespace-values/patch.sh
new file mode 100755
index 0000000..87ee159
--- /dev/null
+++ b/sync/patches/namespace-values/patch.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+repo_dir=$(git rev-parse --show-toplevel) ; readonly repo_dir
+script_dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) ; readonly script_dir
+
+cd "${repo_dir}"
+
+readonly script_dir_rel=".${script_dir#"${repo_dir}"}"
+
+set -x
+git apply "${script_dir_rel}/000-namespace-values.patch"
+
+{ set +x; } 2>/dev/null
diff --git a/sync/patches/network-policies/000-network-policies.patch b/sync/patches/network-policies/000-network-policies.patch
new file mode 100644
index 0000000..f809604
--- /dev/null
+++ b/sync/patches/network-policies/000-network-policies.patch
@@ -0,0 +1,197 @@
+diff --git a/helm/envoy-gateway/templates/certgen-cnp.yaml b/helm/envoy-gateway/templates/certgen-cnp.yaml
+new file mode 100644
+index 0000000..2af4f5c
+--- /dev/null
++++ b/helm/envoy-gateway/templates/certgen-cnp.yaml
+@@ -0,0 +1,43 @@
++---
++apiVersion: "cilium.io/v2"
++kind: CiliumNetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}-certgen
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ endpointSelector:
++ matchLabels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ egress:
++ - toEntities:
++ - kube-apiserver
++ - toEndpoints:
++ - matchLabels:
++ k8s:io.kubernetes.pod.namespace: default
++ k8s:k8s-app: kubernetes
++ toPorts:
++ - ports:
++ - port: "443"
++ protocol: TCP
++ - toEndpoints:
++ - matchLabels:
++ k8s:component: kube-apiserver
++ k8s:tier: control-plane
++ - toEndpoints:
++ - matchLabels:
++ k8s:io.kubernetes.pod.namespace: kube-system
++ k8s:k8s-app: kube-dns
++ toPorts:
++ - ports:
++ - port: "53"
++ protocol: UDP
++ - port: "53"
++ protocol: TCP
+diff --git a/helm/envoy-gateway/templates/certgen-netpol.yaml b/helm/envoy-gateway/templates/certgen-netpol.yaml
+new file mode 100644
+index 0000000..0e9f09a
+--- /dev/null
++++ b/helm/envoy-gateway/templates/certgen-netpol.yaml
+@@ -0,0 +1,44 @@
++---
++apiVersion: networking.k8s.io/v1
++kind: NetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}-certgen
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ podSelector:
++ matchLabels:
++ app.kubernetes.io/component: "certgen"
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ policyTypes:
++ - Ingress
++ - Egress
++ egress:
++ - to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ component: kube-apiserver
++ tier: control-plane
++ - to:
++ - ipBlock:
++ cidr: 172.31.0.1/32
++ ports:
++ - port: 443
++ protocol: TCP
++ - ports:
++ - port: 53
++ protocol: UDP
++ - port: 53
++ protocol: TCP
++ to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ k8s-app: kube-dns
+diff --git a/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
+new file mode 100644
+index 0000000..a44b6ee
+--- /dev/null
++++ b/helm/envoy-gateway/templates/envoy-gateway-cnp.yaml
+@@ -0,0 +1,41 @@
++---
++apiVersion: "cilium.io/v2"
++kind: CiliumNetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ control-plane: envoy-gateway
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ endpointSelector:
++ matchLabels:
++ control-plane: envoy-gateway
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ egress:
++ - toEntities:
++ - kube-apiserver
++ - cluster
++ - toEndpoints:
++ - matchLabels:
++ k8s:io.kubernetes.pod.namespace: kube-system
++ k8s-app: kube-dns
++ toPorts:
++ - ports:
++ - port: "53"
++ protocol: UDP
++ - port: "53"
++ protocol: TCP
++ ingress:
++ - fromEntities:
++ - cluster
++ toPorts:
++ - ports:
++ {{- range .Values.deployment.envoyGateway.ports }}
++ - port: {{ printf "\"%d\"" .port }}
++ protocol: TCP
++ {{- end }}
+diff --git a/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
+new file mode 100644
+index 0000000..9d9049d
+--- /dev/null
++++ b/helm/envoy-gateway/templates/envoy-gateway-netpol.yaml
+@@ -0,0 +1,45 @@
++---
++apiVersion: networking.k8s.io/v1
++kind: NetworkPolicy
++metadata:
++ name: {{ include "eg.fullname" . }}
++ namespace: {{ .Release.Namespace }}
++ annotations:
++ "helm.sh/hook": "pre-install,pre-upgrade"
++ "helm.sh/hook-weight": "-10"
++ "helm.sh/hook-delete-policy": "before-hook-creation"
++ labels:
++ control-plane: envoy-gateway
++ {{- include "eg.labels" . | nindent 4 }}
++spec:
++ podSelector:
++ matchLabels:
++ control-plane: envoy-gateway
++ {{- include "eg.selectorLabels" . | nindent 6 }}
++ policyTypes:
++ - Ingress
++ - Egress
++ egress:
++ - to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ k8s-app: kube-apiserver
++ - to:
++ - namespaceSelector: {}
++ podSelector:
++ matchLabels:
++ k8s-app: kube-dns
++ ports:
++ - port: 53
++ protocol: UDP
++ - port: 53
++ protocol: TCP
++ ingress:
++ - ports:
++ {{- range .Values.deployment.envoyGateway.ports }}
++ - port: {{ .port }}
++ protocol: TCP
++ {{- end }}
++ from:
++ - namespaceSelector: {}
diff --git a/sync/patches/network-policies/patch.sh b/sync/patches/network-policies/patch.sh
new file mode 100755
index 0000000..efccd06
--- /dev/null
+++ b/sync/patches/network-policies/patch.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+repo_dir=$(git rev-parse --show-toplevel) ; readonly repo_dir
+script_dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) ; readonly script_dir
+
+cd "${repo_dir}"
+
+readonly script_dir_rel=".${script_dir#"${repo_dir}"}"
+
+set -x
+git apply "${script_dir_rel}/000-network-policies.patch"
+
+{ set +x; } 2>/dev/null
diff --git a/sync/patches/pss-comply/patch.sh b/sync/patches/pss-comply/patch.sh
index c14229c..0f1c90f 100755
--- a/sync/patches/pss-comply/patch.sh
+++ b/sync/patches/pss-comply/patch.sh
@@ -12,6 +12,6 @@ cd "${repo_dir}"
readonly script_dir_rel=".${script_dir#"${repo_dir}"}"
set -x
-git apply "${script_dir_rel}/000-pss-comply.patch"
+# git apply "${script_dir_rel}/000-pss-comply.patch"
{ set +x; } 2>/dev/null
diff --git a/sync/patches/values/values.schema.json b/sync/patches/values/values.schema.json
index f04b004..ca9733c 100644
--- a/sync/patches/values/values.schema.json
+++ b/sync/patches/values/values.schema.json
@@ -8,9 +8,15 @@
"job": {
"type": "object",
"properties": {
+ "affinity": {
+ "type": "object"
+ },
"annotations": {
"type": "object"
},
+ "nodeSelector": {
+ "type": "object"
+ },
"resources": {
"type": "object",
"properties": {
@@ -35,6 +41,51 @@
}
}
},
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "type": "object",
+ "properties": {
+ "drop": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seccompProfile": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ },
"ttlSecondsAfterFinished": {
"type": "integer"
}
@@ -124,9 +175,6 @@
"limits": {
"type": "object",
"properties": {
- "cpu": {
- "type": "string"
- },
"memory": {
"type": "string"
}
@@ -144,6 +192,48 @@
}
}
}
+ },
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "type": "object",
+ "properties": {
+ "drop": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ }
+ }
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "seccompProfile": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ }
+ }
+ }
}
}
},
@@ -154,10 +244,27 @@
"type": "object"
},
"annotations": {
- "type": "object"
+ "type": "object",
+ "properties": {
+ "prometheus.io/port": {
+ "type": "string"
+ },
+ "prometheus.io/scrape": {
+ "type": "string"
+ }
+ }
},
"labels": {
"type": "object"
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
}
}
},
@@ -178,16 +285,49 @@
}
}
},
+ "priorityClassName": {
+ "type": "null"
+ },
"replicas": {
"type": "integer"
}
}
},
- "envoyGatewayMetricsService": {
+ "global": {
"type": "object",
"properties": {
- "port": {
- "type": "integer"
+ "images": {
+ "type": "object",
+ "properties": {
+ "envoyGateway": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "pullSecrets": {
+ "type": "array"
+ }
+ }
+ },
+ "ratelimit": {
+ "type": "object",
+ "properties": {
+ "image": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "pullSecrets": {
+ "type": "array"
+ }
+ }
+ }
+ }
}
}
},
@@ -201,6 +341,22 @@
},
"kubernetesClusterDomain": {
"type": "string"
+ },
+ "podDisruptionBudget": {
+ "type": "object",
+ "properties": {
+ "minAvailable": {
+ "type": "integer"
+ }
+ }
+ },
+ "service": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ }
+ }
}
}
}
diff --git a/sync/patches/values/values.yaml b/sync/patches/values/values.yaml
index a721781..b81476e 100644
--- a/sync/patches/values/values.yaml
+++ b/sync/patches/values/values.yaml
@@ -1,20 +1,61 @@
+# The global settings for the Envoy Gateway Helm chart.
+# These values will be used if the values are not overridden in the other sections.
+global:
+ images:
+ envoyGateway:
+ # This is the full image name including the hub, repo, and tag.
+ image: docker.io/envoyproxy/gateway:v1.2.1
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
+ ratelimit:
+ # This is the full image name including the hub, repo, and tag.
+ image: "docker.io/envoyproxy/ratelimit:master"
+ # Specify image pull policy if default behavior isn't desired.
+ # Default behavior: latest images will be Always else IfNotPresent.
+ pullPolicy: IfNotPresent
+ # List of secrets in the same namespace of the component that can be used to pull images from private repositories.
+ pullSecrets: []
+
+name: envoy-gateway
+namespace: envoy-gateway-system
+serviceType: managed
+
+podDisruptionBudget:
+ minAvailable: 0
+ # maxUnavailable: 1
+
image:
registry: gsoci.azurecr.io
+ repository: giantswarm
deployment:
envoyGateway:
image:
name: envoyproxy-gateway
- tag: 'v1.0.2'
- imagePullPolicy: Always
+ tag: 'v1.2.1'
+ imagePullPolicy: ""
imagePullSecrets: []
resources:
limits:
- cpu: 500m
memory: 1024Mi
requests:
cpu: 100m
memory: 256Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ runAsNonRoot: true
+ runAsGroup: 65532
+ runAsUser: 65532
+ readOnlyRootFilesystem: true
+ seccompProfile:
+ type: RuntimeDefault
ports:
- name: grpc
port: 18000
@@ -22,11 +63,26 @@ deployment:
- name: ratelimit
port: 18001
targetPort: 18001
+ - name: wasm
+ port: 18002
+ targetPort: 18002
+ - name: metrics
+ port: 19001
+ targetPort: 19001
+ priorityClassName: null
replicas: 1
pod:
affinity: {}
- annotations: {}
+ annotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '19001'
labels: {}
+ topologySpreadConstraints: []
+ tolerations: []
+ nodeSelector: {}
+
+service:
+ annotations: {}
config:
envoyGateway:
@@ -38,9 +94,6 @@ config:
level:
default: info
-envoyGatewayMetricsService:
- port: 19001
-
createNamespace: false
kubernetesClusterDomain: cluster.local
@@ -54,7 +107,22 @@ certgen:
memory: 100Mi
limits:
memory: 500Mi
- ttlSecondsAfterFinished: 0
+ affinity: {}
+ tolerations: []
+ nodeSelector: {}
+ ttlSecondsAfterFinished: 30
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsGroup: 65534
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
rbac:
annotations: {}
labels: {}
diff --git a/sync/sync.sh b/sync/sync.sh
index f6df40d..f140f19 100755
--- a/sync/sync.sh
+++ b/sync/sync.sh
@@ -12,11 +12,16 @@ set -x
vendir sync
{ set +x; } 2>/dev/null
+# Remove trailing whitespace end of lines (hack to fix vendir bug)
+find vendor/ -type f -exec sed -i 's/[[:space:]]*$//' {} \;
+
# Patches
./sync/patches/image-registry/patch.sh
./sync/patches/pss-comply/patch.sh
./sync/patches/team-label/patch.sh
+./sync/patches/namespace-values/patch.sh
./sync/patches/values/patch.sh
+./sync/patches/network-policies/patch.sh
HELM_DOCS="docker run --rm -u $(id -u) -v ${PWD}:/helm-docs -w /helm-docs jnorwood/helm-docs:v1.11.0"
$HELM_DOCS --template-files=sync/readme.gotmpl -g helm/envoy-gateway -f values.yaml -o README.md
@@ -35,7 +40,7 @@ for f in $(git --no-pager diff --no-exit-code --no-color --no-index vendor/gatew
set +e
set -x
- git --no-pager diff --no-exit-code --no-color --no-index $base_file "${f}" \
+ git --no-pager diff --no-exit-code --no-color --no-index "$base_file" "${f}" \
> "./diffs/${f//\//__}.patch" # ${f//\//__} replaces all "/" with "__"
ret=$?
diff --git a/vendir.lock.yml b/vendir.lock.yml
index 24fbe19..fd19bf5 100644
--- a/vendir.lock.yml
+++ b/vendir.lock.yml
@@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- helmChart:
- appVersion: v1.0.2
- version: v1.0.2
+ appVersion: v1.2.1
+ version: v1.2.1
path: gateway-helm
path: vendor
- contents:
diff --git a/vendir.yml b/vendir.yml
index 69c04e4..20dc18d 100644
--- a/vendir.yml
+++ b/vendir.yml
@@ -6,7 +6,7 @@ directories:
- path: gateway-helm
helmChart:
name: gateway-helm
- version: v1.0.2
+ version: v1.2.1
repository:
url: oci://docker.io/envoyproxy
- path: helm/envoy-gateway