{ "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "spec defines the desired state of AgentgatewayPolicy.", "properties": { "backend": { "description": "backend defines settings for how to connect to destination backends.\n\nA backend policy can target a Gateway (optionally, with a sectionName indicating the listener), ListenerSet, Route\n(optionally, with a sectionName indicating the route rule), or a Service/Backend (optionally, with a sectionName\nindicating the port (for Service) or sub-backend (for Backend).\n\nNote that a backend policy applies when connecting to a specific destination backend. Targeting a higher level\nresource, like Gateway, is just a way to easily apply a policy to a group of backends.\n\nWhen multiple policies are selected for a given request, they are merged on a field-level basis, but not a deep\nmerge. Precedence is given to more precise policies: Gateway < Listener < Route < Route Rule < Backend/Service. For\nexample, if a Gateway policy sets 'tcp' and 'tls', and a Backend policy sets 'tls', the effective policy would be\n'tcp' from the Gateway, and 'tls' from the Backend.", "properties": { "ai": { "description": "ai specifies settings for AI workloads. This is only applicable when connecting to a Backend of type 'ai'.", "properties": { "defaults": { "description": "Provide defaults to merge with user input fields. If the field is already set, the field in the request is used.", "items": { "description": "FieldDefault provides default values for specific fields in the JSON request body sent to the LLM provider.\nThese defaults are merged with the user-provided request to ensure missing fields are populated.\n\nUser input fields here refer to the fields in the JSON request body that a client sends when making a request to the LLM provider.\nDefaults set here do _not_ override those user-provided values unless you explicitly set `override` to `true`.\n\nExample: Setting a default system field for Anthropic, which does not support system role messages:\n```yaml\ndefaults:\n - field: \"system\"\n value: \"answer all questions in French\"\n\n```\n\nExample: Setting a default temperature and overriding `max_tokens`:\n```yaml\ndefaults:\n - field: \"temperature\"\n value: \"0.5\"\n - field: \"max_tokens\"\n value: \"100\"\n override: true\n\n```\n\nExample: Setting custom lists fields:\n```yaml\ndefaults:\n - field: \"custom_integer_list\"\n value: [1,2,3]\n\noverrides:\n - field: \"custom_string_list\"\n value: [\"one\",\"two\",\"three\"]\n\n```\n\nNote: The `field` values correspond to keys in the JSON request body, not fields in this CRD.", "properties": { "field": { "description": "The name of the field.", "maxLength": 256, "minLength": 1, "type": "string" }, "value": { "description": "The field default value, which can be any JSON Data Type.", "x-kubernetes-preserve-unknown-fields": true } }, "required": [ "field", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 64, "minItems": 1, "type": "array" }, "modelAliases": { "additionalProperties": { "type": "string" }, "description": "ModelAliases maps friendly model names to actual provider model names.\nExample: {\"fast\": \"gpt-3.5-turbo\", \"smart\": \"gpt-4-turbo\"}\nNote: This field is only applicable when using the agentgateway data plane.", "maxProperties": 64, "type": "object" }, "overrides": { "description": "Provide overrides to merge with user input fields. If the field is already set, the field will be overwritten.", "items": { "description": "FieldDefault provides default values for specific fields in the JSON request body sent to the LLM provider.\nThese defaults are merged with the user-provided request to ensure missing fields are populated.\n\nUser input fields here refer to the fields in the JSON request body that a client sends when making a request to the LLM provider.\nDefaults set here do _not_ override those user-provided values unless you explicitly set `override` to `true`.\n\nExample: Setting a default system field for Anthropic, which does not support system role messages:\n```yaml\ndefaults:\n - field: \"system\"\n value: \"answer all questions in French\"\n\n```\n\nExample: Setting a default temperature and overriding `max_tokens`:\n```yaml\ndefaults:\n - field: \"temperature\"\n value: \"0.5\"\n - field: \"max_tokens\"\n value: \"100\"\n override: true\n\n```\n\nExample: Setting custom lists fields:\n```yaml\ndefaults:\n - field: \"custom_integer_list\"\n value: [1,2,3]\n\noverrides:\n - field: \"custom_string_list\"\n value: [\"one\",\"two\",\"three\"]\n\n```\n\nNote: The `field` values correspond to keys in the JSON request body, not fields in this CRD.", "properties": { "field": { "description": "The name of the field.", "maxLength": 256, "minLength": 1, "type": "string" }, "value": { "description": "The field default value, which can be any JSON Data Type.", "x-kubernetes-preserve-unknown-fields": true } }, "required": [ "field", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 64, "minItems": 1, "type": "array" }, "prompt": { "description": "Enrich requests sent to the LLM provider by appending and prepending system prompts. This can be configured only for\nLLM providers that use the `CHAT` or `CHAT_STREAMING` API route type.", "properties": { "append": { "description": "A list of messages to be appended to the prompt sent by the client.", "items": { "description": "An entry for a message to prepend or append to each prompt.", "properties": { "content": { "description": "String content of the message.", "type": "string" }, "role": { "description": "Role of the message. The available roles depend on the backend\nLLM provider model, such as `SYSTEM` or `USER` in the OpenAI API.", "type": "string" } }, "required": [ "content", "role" ], "type": "object", "additionalProperties": false }, "type": "array" }, "prepend": { "description": "A list of messages to be prepended to the prompt sent by the client.", "items": { "description": "An entry for a message to prepend or append to each prompt.", "properties": { "content": { "description": "String content of the message.", "type": "string" }, "role": { "description": "Role of the message. The available roles depend on the backend\nLLM provider model, such as `SYSTEM` or `USER` in the OpenAI API.", "type": "string" } }, "required": [ "content", "role" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "promptCaching": { "description": "promptCaching enables automatic prompt caching for supported providers (AWS Bedrock).\nReduces API costs by caching static content like system prompts and tool definitions.\nOnly applicable for Bedrock Claude 3+ and Nova models.", "properties": { "cacheMessages": { "default": true, "description": "CacheMessages enables caching for conversation messages.\nCaches all messages in the conversation for cost savings.", "type": "boolean" }, "cacheSystem": { "default": true, "description": "CacheSystem enables caching for system prompts.\nInserts a cache point after all system messages.", "type": "boolean" }, "cacheTools": { "default": false, "description": "CacheTools enables caching for tool definitions.\nInserts a cache point after all tool specifications.", "type": "boolean" }, "minTokens": { "default": 1024, "description": "MinTokens specifies the minimum estimated token count\nbefore caching is enabled. Uses rough heuristic (word count \u00d7 1.3) to estimate tokens.\nBedrock requires at least 1,024 tokens for caching to be effective.", "minimum": 0, "type": "integer" } }, "type": "object", "additionalProperties": false }, "promptGuard": { "description": "promptGuard enables adding guardrails to LLM requests and responses.", "properties": { "request": { "description": "Prompt guards to apply to requests sent by the client.", "items": { "description": "PromptguardRequest defines the prompt guards to apply to requests sent by the client.", "properties": { "openAIModeration": { "description": "openAIModeration passes prompt data through the OpenAI Moderations endpoint.\nSee https://platform.openai.com/docs/api-reference/moderations for more information.", "properties": { "model": { "description": "model specifies the moderation model to use. For example, `omni-moderation`.", "type": "string" }, "policies": { "description": "policies controls policies for communicating with OpenAI.", "properties": { "auth": { "description": "auth defines settings for managing authentication to the backend", "properties": { "aws": { "description": "Auth specifies an explicit AWS authentication method for the backend.\nWhen omitted, we will try to use the default AWS SDK authentication methods.", "properties": { "secretRef": { "description": "SecretRef references a Kubernetes Secret containing the AWS credentials.\nThe Secret must have keys \"accessKey\", \"secretKey\", and optionally \"sessionToken\".", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "secretRef" ], "type": "object", "additionalProperties": false }, "key": { "description": "key provides an inline key to use as the value of the Authorization header.\nThis option is the least secure; usage of a Secret is preferred.", "maxLength": 2048, "type": "string" }, "passthrough": { "description": "passthrough passes through an existing token that has been sent by the client and validated. Other policies, like\nJWT and API Key authentication, will strip the original client credentials. Passthrough backend authentication\ncauses the original token to be added back into the request. If there are no client authentication policies on the\nrequest, the original token would be unchanged, so this would have no effect.", "type": "object" }, "secretRef": { "description": "secretRef references a Kubernetes secret storing the key to use the authorization value. This must be stored in the\n'Authorization' key.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [key secretRef passthrough aws] must be set", "rule": "[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "http": { "description": "http defines settings for managing HTTP requests to the backend.", "properties": { "requestTimeout": { "description": "requestTimeout specifies the deadline for receiving a response from the backend.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "requestTimeout must be at least 1ms", "rule": "duration(self) >= duration('1ms')" } ] }, "version": { "description": "version specifies the HTTP protocol version to use when connecting to the backend.\nIf not specified, the version is automatically determined:\n* Service types can specify it with 'appProtocol' on the Service port.\n* If traffic is identified as gRPC, HTTP2 is used.\n* If the incoming traffic was plaintext HTTP, the original protocol will be used.\n* If the incoming traffic was HTTPS, HTTP1 will be used. This is because most clients will\n transparently upgrade HTTPS traffic to HTTP2, even if the backend doesn't support it", "enum": [ "HTTP1", "HTTP2" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "tcp": { "description": "tcp defines settings for managing TCP connections to the backend.", "properties": { "connectTimeout": { "description": "connectTimeout defines the deadline for establishing a connection to the destination.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "connectTimeout must be at least 100ms", "rule": "duration(self) >= duration('100ms')" } ] }, "keepalive": { "description": "keepAlive defines settings for enabling TCP keepalives on the connection.", "properties": { "interval": { "description": "interval specifies the number of seconds between keep-alive probes.\nIf unset, this defaults to 180s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "interval must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] }, "retries": { "description": "retries specifies the maximum number of keep-alive probes to send before dropping the connection.\nIf unset, this defaults to 9.", "format": "int32", "maximum": 64, "minimum": 1, "type": "integer" }, "time": { "description": "time specifies the number of seconds a connection needs to be idle before keep-alive probes start being sent.\nIf unset, this defaults to 180s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "time must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tls": { "description": "tls defines settings for managing TLS connections to the backend.\n\nIf this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to\nvalidate the server, and the SNI will automatically be set based on the destination.", "properties": { "alpnProtocols": { "description": "alpnProtocols sets the Application Level Protocol Negotiation (ALPN) value to use in the TLS handshake.\n\nIf not present, defaults to [\"h2\", \"http/1.1\"].", "items": { "maxLength": 64, "minLength": 1, "type": "string" }, "maxItems": 16, "minItems": 1, "type": "array" }, "caCertificateRefs": { "description": "caCertificateRefs defines the CA certificate ConfigMap to use to verify the server certificate.\nIf unset, the system's trusted certificates are used.", "items": { "description": "LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "maxItems": 1, "type": "array", "x-kubernetes-list-type": "atomic" }, "insecureSkipVerify": { "description": "insecureSkipVerify originates TLS but skips verification of the backend's certificate.\nWARNING: This is an insecure option that should only be used if the risks are understood.\n\nThere are two modes:\n* All disables all TLS verification\n* Hostname verifies the CA certificate is trusted, but ignores any mismatch of hostname/SANs. Note that this method\n is still insecure; prefer setting verifySubjectAltNames to customize the valid hostnames if possible.", "enum": [ "All", "Hostname" ], "type": "string" }, "mtlsCertificateRef": { "description": "mtlsCertificateRef enables mutual TLS to the backend, using the specified key (tls.key) and cert (tls.crt) from the\nrefenced Secret.\n\nAn optional 'ca.cert' field, if present, will be used to verify the server certificate if present. If\ncaCertificateRefs is also specified, the caCertificateRefs field takes priority.\n\nIf unspecified, no client certificate will be used.", "items": { "description": "LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "maxItems": 1, "type": "array", "x-kubernetes-list-type": "atomic" }, "sni": { "description": "sni specifies the Server Name Indicator (SNI) to be used in the TLS handshake. If unset, the SNI is automatically\nset based on the destination hostname.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "verifySubjectAltNames": { "description": "verifySubjectAltNames specifies the Subject Alternative Names (SAN) to verify in the server certificate.\nIf not present, the destination hostname is automatically used.", "items": { "maxLength": 256, "minLength": 1, "type": "string" }, "maxItems": 16, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "insecureSkipVerify All and caCertificateRefs may not be set together", "rule": "has(self.insecureSkipVerify) && self.insecureSkipVerify == 'All' ? !has(self.caCertificateRefs) : true" }, { "message": "insecureSkipVerify and verifySubjectAltNames may not be set together", "rule": "has(self.insecureSkipVerify) ? !has(self.verifySubjectAltNames) : true" }, { "message": "at most one of the fields in [verifySubjectAltNames insecureSkipVerify] may be set", "rule": "[has(self.verifySubjectAltNames),has(self.insecureSkipVerify)].filter(x,x==true).size() <= 1" } ], "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "regex": { "description": "Regular expression (regex) matching for prompt guards and data masking.", "properties": { "action": { "default": "Mask", "description": "The action to take if a regex pattern is matched in a request or response.\nThis setting applies only to request matches. PromptguardResponse matches are always masked by default.\nDefaults to `Mask`.", "enum": [ "Mask", "Reject" ], "type": "string" }, "builtins": { "description": "A list of built-in regex patterns to match against the request or response.\nMatches and built-ins are additive.", "items": { "description": "BuiltIn regex patterns for specific types of strings in prompts.\nFor example, if you specify `CreditCard`, any credit card numbers\nin the request or response are matched.", "enum": [ "Ssn", "CreditCard", "PhoneNumber", "Email", "CaSin" ], "type": "string" }, "type": "array" }, "matches": { "description": "A list of regex patterns to match against the request or response.\nMatches and built-ins are additive.", "items": { "maxLength": 1024, "minLength": 1, "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "response": { "description": "A custom response message to return to the client. If not specified, defaults to\n\"The request was rejected due to inappropriate content\".", "properties": { "message": { "default": "The request was rejected due to inappropriate content", "description": "A custom response message to return to the client. If not specified, defaults to\n\"The request was rejected due to inappropriate content\".", "type": "string" }, "statusCode": { "default": 403, "description": "The status code to return to the client. Defaults to 403.", "format": "int32", "maximum": 599, "minimum": 200, "type": "integer" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [message statusCode] must be set", "rule": "[has(self.message),has(self.statusCode)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "webhook": { "description": "Configure a webhook to forward requests to for prompt guarding.", "properties": { "backendRef": { "description": "backendRef references the webhook server to reach.\n\nSupported types: Service and Backend.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "forwardHeaderMatches": { "description": "ForwardHeaderMatches defines a list of HTTP header matches that will be\nused to select the headers to forward to the webhook.\nRequest headers are used when forwarding requests and response headers\nare used when forwarding responses.\nBy default, no headers are forwarded.", "items": { "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\nheaders.", "properties": { "name": { "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, only the first\nentry with an equivalent name MUST be considered for a match. Subsequent\nentries with an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.\n\nWhen a header is repeated in an HTTP request, it is\nimplementation-specific behavior as to how this is represented.\nGenerally, proxies should follow the guidance from the RFC:\nhttps://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\nprocessing a repeated header, with special handling for \"Set-Cookie\".", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "type": { "default": "Exact", "description": "Type specifies how to match against the value of the header.\n\nSupport: Core (Exact)\n\nSupport: Implementation-specific (RegularExpression)\n\nSince RegularExpression HeaderMatchType has implementation-specific\nconformance, implementations can support POSIX, PCRE or any other dialects\nof regular expressions. Please read the implementation's documentation to\ndetermine the supported dialect.", "enum": [ "Exact", "RegularExpression" ], "type": "string" }, "value": { "description": "Value is the value of HTTP Header to be matched.", "maxLength": 4096, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "backendRef" ], "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [regex webhook openAIModeration] must be set", "rule": "[has(self.regex),has(self.webhook),has(self.openAIModeration)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "maxItems": 8, "minItems": 1, "type": "array" }, "response": { "description": "Prompt guards to apply to responses returned by the LLM provider.", "items": { "description": "PromptguardResponse configures the response that the prompt guard applies to responses returned by the LLM provider.", "properties": { "regex": { "description": "Regular expression (regex) matching for prompt guards and data masking.", "properties": { "action": { "default": "Mask", "description": "The action to take if a regex pattern is matched in a request or response.\nThis setting applies only to request matches. PromptguardResponse matches are always masked by default.\nDefaults to `Mask`.", "enum": [ "Mask", "Reject" ], "type": "string" }, "builtins": { "description": "A list of built-in regex patterns to match against the request or response.\nMatches and built-ins are additive.", "items": { "description": "BuiltIn regex patterns for specific types of strings in prompts.\nFor example, if you specify `CreditCard`, any credit card numbers\nin the request or response are matched.", "enum": [ "Ssn", "CreditCard", "PhoneNumber", "Email", "CaSin" ], "type": "string" }, "type": "array" }, "matches": { "description": "A list of regex patterns to match against the request or response.\nMatches and built-ins are additive.", "items": { "maxLength": 1024, "minLength": 1, "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "response": { "description": "A custom response message to return to the client. If not specified, defaults to\n\"The response was rejected due to inappropriate content\".", "properties": { "message": { "default": "The request was rejected due to inappropriate content", "description": "A custom response message to return to the client. If not specified, defaults to\n\"The request was rejected due to inappropriate content\".", "type": "string" }, "statusCode": { "default": 403, "description": "The status code to return to the client. Defaults to 403.", "format": "int32", "maximum": 599, "minimum": 200, "type": "integer" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [message statusCode] must be set", "rule": "[has(self.message),has(self.statusCode)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "webhook": { "description": "Configure a webhook to forward responses to for prompt guarding.", "properties": { "backendRef": { "description": "backendRef references the webhook server to reach.\n\nSupported types: Service and Backend.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "forwardHeaderMatches": { "description": "ForwardHeaderMatches defines a list of HTTP header matches that will be\nused to select the headers to forward to the webhook.\nRequest headers are used when forwarding requests and response headers\nare used when forwarding responses.\nBy default, no headers are forwarded.", "items": { "description": "HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request\nheaders.", "properties": { "name": { "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, only the first\nentry with an equivalent name MUST be considered for a match. Subsequent\nentries with an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.\n\nWhen a header is repeated in an HTTP request, it is\nimplementation-specific behavior as to how this is represented.\nGenerally, proxies should follow the guidance from the RFC:\nhttps://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding\nprocessing a repeated header, with special handling for \"Set-Cookie\".", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "type": { "default": "Exact", "description": "Type specifies how to match against the value of the header.\n\nSupport: Core (Exact)\n\nSupport: Implementation-specific (RegularExpression)\n\nSince RegularExpression HeaderMatchType has implementation-specific\nconformance, implementations can support POSIX, PCRE or any other dialects\nof regular expressions. Please read the implementation's documentation to\ndetermine the supported dialect.", "enum": [ "Exact", "RegularExpression" ], "type": "string" }, "value": { "description": "Value is the value of HTTP Header to be matched.", "maxLength": 4096, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "backendRef" ], "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [regex webhook] must be set", "rule": "[has(self.regex),has(self.webhook)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "maxItems": 8, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [request response] must be set", "rule": "[has(self.request),has(self.response)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "routes": { "additionalProperties": { "description": "RouteType specifies how the AI gateway should process incoming requests\nbased on the URL path and the API format expected.", "enum": [ "Completions", "Messages", "Models", "Passthrough", "Responses", "AnthropicTokenCount", "Embeddings" ], "type": "string" }, "description": "routes defines how to identify the type of traffic to handle.\nThe keys are URL path suffixes matched using ends-with comparison (e.g., \"/v1/chat/completions\").\nThe special \"*\" wildcard matches any path.\nIf not specified, all traffic defaults to \"completions\" type.", "type": "object" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [prompt promptGuard defaults overrides modelAliases promptCaching routes] must be set", "rule": "[has(self.prompt),has(self.promptGuard),has(self.defaults),has(self.overrides),has(self.modelAliases),has(self.promptCaching),has(self.routes)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "auth": { "description": "auth defines settings for managing authentication to the backend", "properties": { "aws": { "description": "Auth specifies an explicit AWS authentication method for the backend.\nWhen omitted, we will try to use the default AWS SDK authentication methods.", "properties": { "secretRef": { "description": "SecretRef references a Kubernetes Secret containing the AWS credentials.\nThe Secret must have keys \"accessKey\", \"secretKey\", and optionally \"sessionToken\".", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "secretRef" ], "type": "object", "additionalProperties": false }, "key": { "description": "key provides an inline key to use as the value of the Authorization header.\nThis option is the least secure; usage of a Secret is preferred.", "maxLength": 2048, "type": "string" }, "passthrough": { "description": "passthrough passes through an existing token that has been sent by the client and validated. Other policies, like\nJWT and API Key authentication, will strip the original client credentials. Passthrough backend authentication\ncauses the original token to be added back into the request. If there are no client authentication policies on the\nrequest, the original token would be unchanged, so this would have no effect.", "type": "object" }, "secretRef": { "description": "secretRef references a Kubernetes secret storing the key to use the authorization value. This must be stored in the\n'Authorization' key.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [key secretRef passthrough aws] must be set", "rule": "[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "http": { "description": "http defines settings for managing HTTP requests to the backend.", "properties": { "requestTimeout": { "description": "requestTimeout specifies the deadline for receiving a response from the backend.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "requestTimeout must be at least 1ms", "rule": "duration(self) >= duration('1ms')" } ] }, "version": { "description": "version specifies the HTTP protocol version to use when connecting to the backend.\nIf not specified, the version is automatically determined:\n* Service types can specify it with 'appProtocol' on the Service port.\n* If traffic is identified as gRPC, HTTP2 is used.\n* If the incoming traffic was plaintext HTTP, the original protocol will be used.\n* If the incoming traffic was HTTPS, HTTP1 will be used. This is because most clients will\n transparently upgrade HTTPS traffic to HTTP2, even if the backend doesn't support it", "enum": [ "HTTP1", "HTTP2" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "mcp": { "description": "mcp specifies settings for MCP workloads. This is only applicable when connecting to a Backend of type 'mcp'.", "properties": { "authentication": { "description": "authentication defines MCPBackend specific authentication rules.", "properties": { "audiences": { "description": "audiences specify the list of allowed audiences that are allowed access. This corresponds to the 'aud' claim (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).\nIf unset, any audience is allowed.", "items": { "type": "string" }, "maxItems": 64, "minItems": 1, "type": "array" }, "issuer": { "description": "Issuer identifies the IdP that issued the JWT. This corresponds to the 'iss' claim (https://tools.ietf.org/html/rfc7519#section-4.1.1).", "maxLength": 256, "minLength": 1, "type": "string" }, "jwks": { "description": "jwks defines the remote JSON Web Key used to validate the signature of the JWT.", "properties": { "backendRef": { "description": "backendRef references the remote JWKS server to reach.\nSupported types are Service and (static) Backend. An AgentgatewayPolicy containing backend tls config\ncan then be attached to the service/backend in order to set tls options for a connection to the remote jwks source.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "cacheDuration": { "default": "5m", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "cacheDuration must be at least 5m.", "rule": "duration(self) >= duration('5m')" } ] }, "jwksPath": { "description": "Path to IdP jwks endpoint, relative to the root, commonly \".well-known/jwks.json\".", "maxLength": 2000, "minLength": 1, "type": "string" } }, "required": [ "backendRef", "jwksPath" ], "type": "object", "additionalProperties": false }, "mode": { "description": "validation mode for JWT authentication.", "enum": [ "Strict", "Optional", "Permissive" ], "type": "string" }, "provider": { "description": "McpIDP specifies the identity provider to use for authentication", "enum": [ "Auth0", "Keycloak" ], "type": "string" }, "resourceMetadata": { "additionalProperties": { "x-kubernetes-preserve-unknown-fields": true }, "description": "ResourceMetadata defines the metadata to use for MCP resources.", "type": "object" } }, "required": [ "jwks" ], "type": "object", "additionalProperties": false }, "authorization": { "description": "authorization defines MCPBackend level authorization. Unlike authorization at the HTTP level, which will reject\nunauthorized requests with a 403 error, this policy works at the MCPBackend level.\n\nList operations, such as list_tools, will have each item evaluated. Items that do not meet the rule will be filtered.\n\nGet or call operations, such as call_tool, will evaluate the specific item and reject requests that do not meet the rule.", "properties": { "action": { "default": "Allow", "description": "Action defines whether the rule allows or denies the request if matched.\nIf unspecified, the default is \"Allow\".", "enum": [ "Allow", "Deny" ], "type": "string" }, "policy": { "description": "Policy specifies the Authorization rule to evaluate.\nA policy matches when **any** of the conditions evaluates to true.", "properties": { "matchExpressions": { "description": "MatchExpressions defines a set of conditions that must be satisfied for the rule to match.\nThese expression should be in the form of a Common Expression Language (CEL) expression.", "items": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "maxItems": 256, "minItems": 1, "type": "array" } }, "required": [ "matchExpressions" ], "type": "object", "additionalProperties": false } }, "required": [ "policy" ], "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [authorization authentication] must be set", "rule": "[has(self.authorization),has(self.authentication)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "tcp": { "description": "tcp defines settings for managing TCP connections to the backend.", "properties": { "connectTimeout": { "description": "connectTimeout defines the deadline for establishing a connection to the destination.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "connectTimeout must be at least 100ms", "rule": "duration(self) >= duration('100ms')" } ] }, "keepalive": { "description": "keepAlive defines settings for enabling TCP keepalives on the connection.", "properties": { "interval": { "description": "interval specifies the number of seconds between keep-alive probes.\nIf unset, this defaults to 180s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "interval must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] }, "retries": { "description": "retries specifies the maximum number of keep-alive probes to send before dropping the connection.\nIf unset, this defaults to 9.", "format": "int32", "maximum": 64, "minimum": 1, "type": "integer" }, "time": { "description": "time specifies the number of seconds a connection needs to be idle before keep-alive probes start being sent.\nIf unset, this defaults to 180s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "time must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tls": { "description": "tls defines settings for managing TLS connections to the backend.\n\nIf this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to\nvalidate the server, and the SNI will automatically be set based on the destination.", "properties": { "alpnProtocols": { "description": "alpnProtocols sets the Application Level Protocol Negotiation (ALPN) value to use in the TLS handshake.\n\nIf not present, defaults to [\"h2\", \"http/1.1\"].", "items": { "maxLength": 64, "minLength": 1, "type": "string" }, "maxItems": 16, "minItems": 1, "type": "array" }, "caCertificateRefs": { "description": "caCertificateRefs defines the CA certificate ConfigMap to use to verify the server certificate.\nIf unset, the system's trusted certificates are used.", "items": { "description": "LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "maxItems": 1, "type": "array", "x-kubernetes-list-type": "atomic" }, "insecureSkipVerify": { "description": "insecureSkipVerify originates TLS but skips verification of the backend's certificate.\nWARNING: This is an insecure option that should only be used if the risks are understood.\n\nThere are two modes:\n* All disables all TLS verification\n* Hostname verifies the CA certificate is trusted, but ignores any mismatch of hostname/SANs. Note that this method\n is still insecure; prefer setting verifySubjectAltNames to customize the valid hostnames if possible.", "enum": [ "All", "Hostname" ], "type": "string" }, "mtlsCertificateRef": { "description": "mtlsCertificateRef enables mutual TLS to the backend, using the specified key (tls.key) and cert (tls.crt) from the\nrefenced Secret.\n\nAn optional 'ca.cert' field, if present, will be used to verify the server certificate if present. If\ncaCertificateRefs is also specified, the caCertificateRefs field takes priority.\n\nIf unspecified, no client certificate will be used.", "items": { "description": "LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "maxItems": 1, "type": "array", "x-kubernetes-list-type": "atomic" }, "sni": { "description": "sni specifies the Server Name Indicator (SNI) to be used in the TLS handshake. If unset, the SNI is automatically\nset based on the destination hostname.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "verifySubjectAltNames": { "description": "verifySubjectAltNames specifies the Subject Alternative Names (SAN) to verify in the server certificate.\nIf not present, the destination hostname is automatically used.", "items": { "maxLength": 256, "minLength": 1, "type": "string" }, "maxItems": 16, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "insecureSkipVerify All and caCertificateRefs may not be set together", "rule": "has(self.insecureSkipVerify) && self.insecureSkipVerify == 'All' ? !has(self.caCertificateRefs) : true" }, { "message": "insecureSkipVerify and verifySubjectAltNames may not be set together", "rule": "has(self.insecureSkipVerify) ? !has(self.verifySubjectAltNames) : true" }, { "message": "at most one of the fields in [verifySubjectAltNames insecureSkipVerify] may be set", "rule": "[has(self.verifySubjectAltNames),has(self.insecureSkipVerify)].filter(x,x==true).size() <= 1" } ], "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [tcp tls http auth mcp ai] must be set", "rule": "[has(self.tcp),has(self.tls),has(self.http),has(self.auth),has(self.mcp),has(self.ai)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "frontend": { "description": "frontend defines settings for how to handle incoming traffic.\n\nA frontend policy can only target a Gateway. Listener and ListenerSet are not valid targets.\n\nWhen multiple policies are selected for a given request, they are merged on a field-level basis, but not a deep\nmerge. For example, policy A sets 'tcp' and 'tls', and policy B sets 'tls', the effective policy would be 'tcp' from\npolicy A, and 'tls' from policy B.", "properties": { "accessLog": { "description": "AccessLoggingConfig contains access logging configuration", "properties": { "attributes": { "description": "attributes specifies customizations to the key-value pairs that are logged", "properties": { "add": { "description": "add specifies additional key-value pairs to be added to each entry.\nThe value is a CEL expression. If the CEL expression fails to evaluate, the pair will be excluded.", "items": { "properties": { "expression": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "name": { "maxLength": 256, "minLength": 1, "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "minItems": 1, "type": "array" }, "remove": { "description": "remove lists the default fields that should be removed. For example, \"http.method\".", "items": { "maxLength": 64, "minLength": 1, "type": "string" }, "maxItems": 32, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [remove add] must be set", "rule": "[has(self.remove),has(self.add)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "filter": { "description": "filter specifies a CEL expression that is used to filter logs. A log will only be emitted if the expression evaluates\nto 'true'.", "maxLength": 16384, "minLength": 1, "type": "string" } }, "type": "object", "additionalProperties": false }, "http": { "description": "http defines settings on managing incoming HTTP requests.", "properties": { "http1IdleTimeout": { "description": "http1IdleTimeout defines the timeout before an unused connection is closed.\nIf unset, this defaults to 10 minutes.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "http1IdleTimeout must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] }, "http1MaxHeaders": { "description": "http1MaxHeaders defines the maximum number of headers that are allowed in HTTP/1.1 requests.\nIf unset, this defaults to 100.", "format": "int32", "maximum": 4096, "minimum": 1, "type": "integer" }, "http2ConnectionWindowSize": { "description": "http2ConnectionWindowSize indicates the initial window size for connection-level flow control for received data.", "format": "int32", "minimum": 1, "type": "integer" }, "http2FrameSize": { "description": "http2FrameSize sets the maximum frame size to use.\nIf unset, this defaults to 16kb", "format": "int32", "maximum": 1677215, "minimum": 16384, "type": "integer" }, "http2KeepaliveInterval": { "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "http2KeepaliveInterval must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] }, "http2KeepaliveTimeout": { "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "http2KeepaliveTimeout must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] }, "http2WindowSize": { "description": "http2WindowSize indicates the initial window size for stream-level flow control for received data.", "format": "int32", "minimum": 1, "type": "integer" }, "maxBufferSize": { "description": "maxBufferSize defines the maximum size HTTP body that will be buffered into memory.\nBodies will only be buffered for policies which require buffering.\nIf unset, this defaults to 2mb.", "format": "int32", "minimum": 1, "type": "integer" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [maxBufferSize http1MaxHeaders http1IdleTimeout http2WindowSize http2ConnectionWindowSize http2FrameSize http2KeepaliveInterval http2KeepaliveTimeout] must be set", "rule": "[has(self.maxBufferSize),has(self.http1MaxHeaders),has(self.http1IdleTimeout),has(self.http2WindowSize),has(self.http2ConnectionWindowSize),has(self.http2FrameSize),has(self.http2KeepaliveInterval),has(self.http2KeepaliveTimeout)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "tcp": { "description": "tcp defines settings on managing incoming TCP connections.", "properties": { "keepalive": { "description": "keepalive defines settings for enabling TCP keepalives on the connection.", "properties": { "interval": { "description": "interval specifies the number of seconds between keep-alive probes.\nIf unset, this defaults to 180s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "interval must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] }, "retries": { "description": "retries specifies the maximum number of keep-alive probes to send before dropping the connection.\nIf unset, this defaults to 9.", "format": "int32", "maximum": 64, "minimum": 1, "type": "integer" }, "time": { "description": "time specifies the number of seconds a connection needs to be idle before keep-alive probes start being sent.\nIf unset, this defaults to 180s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "time must be at least 1 second", "rule": "duration(self) >= duration('1s')" } ] } }, "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [keepalive] must be set", "rule": "[has(self.keepalive)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "tls": { "description": "tls defines settings on managing incoming TLS connections.", "properties": { "alpnProtocols": { "description": "alpnProtocols sets the Application Level Protocol Negotiation (ALPN) value to use in the TLS handshake.\n\nIf not present, defaults to [\"h2\", \"http/1.1\"].", "items": { "maxLength": 64, "minLength": 1, "type": "string" }, "maxItems": 16, "minItems": 1, "type": "array" }, "cipherSuites": { "description": "CipherSuites configures the list of cipher suites for a TLS listener.\nThe value is a comma-separated list of cipher suites, e.g \"TLS13_AES_256_GCM_SHA384,TLS13_AES_128_GCM_SHA256\".\nUse in the TLS options field of a TLS listener.", "items": { "enum": [ "TLS13_AES_256_GCM_SHA384", "TLS13_AES_128_GCM_SHA256", "TLS13_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ], "type": "string" }, "type": "array" }, "handshakeTimeout": { "description": "handshakeTimeout specifies the deadline for a TLS handshake to complete.\nIf unset, this defaults to 15s.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "handshakeTimeout must be at least 100ms", "rule": "duration(self) >= duration('100ms')" } ] }, "maxProtocolVersion": { "description": "MaxTLSVersion configures the maximum TLS version to support.", "enum": [ "1.2", "1.3" ], "type": "string" }, "minProtocolVersion": { "description": "MinTLSVersion configures the minimum TLS version to support.", "enum": [ "1.2", "1.3" ], "type": "string" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [handshakeTimeout] must be set", "rule": "[has(self.handshakeTimeout)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "tracing": { "description": "Tracing contains various settings for OpenTelemetry tracer.", "properties": { "attributes": { "description": "attributes specify customizations to the key-value pairs that are included in the trace.", "properties": { "add": { "description": "add specifies additional key-value pairs to be added to each entry.\nThe value is a CEL expression. If the CEL expression fails to evaluate, the pair will be excluded.", "items": { "properties": { "expression": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "name": { "maxLength": 256, "minLength": 1, "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "minItems": 1, "type": "array" }, "remove": { "description": "remove lists the default fields that should be removed. For example, \"http.method\".", "items": { "maxLength": 64, "minLength": 1, "type": "string" }, "maxItems": 32, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [remove add] must be set", "rule": "[has(self.remove),has(self.add)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "backendRef": { "description": "backendRef references the OTLP server to reach.\nSupported types: Service and AgentgatewayBackend.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "clientSampling": { "description": "clientSampling is an expression to determine the amount of client sampling. Client sampling determines whether to\ninitiate a new trace span if the incoming request does have a trace already. This should evaluate to a float between\n0.0-1.0, or a boolean (true/false) If unspecified, client sampling is 100% enabled.", "maxLength": 16384, "minLength": 1, "type": "string" }, "protocol": { "default": "HTTP", "description": "protocol specifies the OTLP protocol variant to use.", "enum": [ "HTTP", "GRPC" ], "type": "string" }, "randomSampling": { "description": "randomSampling is an expression to determine the amount of random sampling. Random sampling will initiate a new\ntrace span if the incoming request does not have a trace initiated already. This should evaluate to a float between\n0.0-1.0, or a boolean (true/false) If unspecified, random sampling is disabled.", "maxLength": 16384, "minLength": 1, "type": "string" }, "resources": { "description": "resources describe the entity producing telemetry and specify the resources to be included in the trace.", "items": { "properties": { "expression": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "name": { "maxLength": 256, "minLength": 1, "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "backendRef" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "targetRefs": { "description": "targetRefs specifies the target resources by reference to attach the policy to.", "items": { "description": "Select the object to attach the policy by Group, Kind, Name and SectionName.\nThe object must be in the same namespace as the policy.\nYou can target only one object at a time.", "properties": { "group": { "description": "The API group of the target resource.\nFor Kubernetes Gateway API resources, the group is `gateway.networking.k8s.io`.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "description": "The API kind of the target resource,\nsuch as Gateway or HTTPRoute.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "The name of the target resource.", "maxLength": 253, "minLength": 1, "type": "string" }, "sectionName": { "description": "The section name of the target resource.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "group", "kind", "name" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-type": "atomic", "x-kubernetes-validations": [ { "message": "targetRefs may only reference Gateway, HTTPRoute, XListenerSet, Service, or AgentgatewayBackend resources", "rule": "self.all(r, (r.kind == 'Service' && r.group == '') || (r.kind == 'AgentgatewayBackend' && r.group == 'agentgateway.dev') || (r.kind in ['Gateway', 'HTTPRoute'] && r.group == 'gateway.networking.k8s.io') || (r.kind == 'XListenerSet' && r.group == 'gateway.networking.x-k8s.io'))" }, { "message": "Only one Kind of targetRef can be set on one policy", "rule": "self.all(l1, !self.exists(l2, l1.kind != l2.kind))" } ] }, "targetSelectors": { "description": "targetSelectors specifies the target selectors to select resources to attach the policy to.", "items": { "description": "LocalPolicyTargetSelectorWithSectionName the object to attach the policy by Group, Kind, MatchLabels, and optionally SectionName.\nThe object must be in the same namespace as the policy and match the\nspecified labels.\nDo not use targetSelectors when reconciliation times are critical, especially if you\nhave a large number of policies that target the same resource.\nInstead, use targetRefs to attach the policy.", "properties": { "group": { "description": "The API group of the target resource.\nFor Kubernetes Gateway API resources, the group is `gateway.networking.k8s.io`.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "description": "The API kind of the target resource,\nsuch as Gateway or HTTPRoute.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "Label selector to select the target resource.", "type": "object" }, "sectionName": { "description": "The section name of the target resource.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "group", "kind", "matchLabels" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-validations": [ { "message": "targetRefs may only reference Gateway, HTTPRoute, XListenerSet, Service, or AgentgatewayBackend resources", "rule": "self.all(r, (r.kind == 'Service' && r.group == '') || (r.kind == 'AgentgatewayBackend' && r.group == 'agentgateway.dev') || (r.kind in ['Gateway', 'HTTPRoute'] && r.group == 'gateway.networking.k8s.io') || (r.kind == 'XListenerSet' && r.group == 'gateway.networking.x-k8s.io'))" }, { "message": "Only one Kind of targetRef can be set on one policy", "rule": "self.all(l1, !self.exists(l2, l1.kind != l2.kind))" } ] }, "traffic": { "description": "traffic defines settings for how process traffic.\n\nA traffic policy can target a Gateway (optionally, with a sectionName indicating the listener), ListenerSet, Route\n(optionally, with a sectionName indicating the route rule).\n\nWhen multiple policies are selected for a given request, they are merged on a field-level basis, but not a deep\nmerge. Precedence is given to more precise policies: Gateway < Listener < Route < Route Rule. For example, policy A\nsets 'timeouts' and 'retries', and policy B sets 'retries', the effective policy would be 'timeouts' from policy A,\nand 'retries' from policy B.", "properties": { "apiKeyAuthentication": { "description": "apiKeyAuthentication authenticates users based on a configured API Key.", "properties": { "mode": { "default": "Strict", "description": "Validation mode for api key authentication.", "enum": [ "Strict", "Optional" ], "type": "string" }, "secretRef": { "description": "secretRef references a Kubernetes secret storing a set of API Keys. If there are many keys, 'secretSelector' can be\nused instead.\n\nEach entry in the Secret represents one API Key. The key is an arbitrary identifier. The value can either be:\n* A string, representing the API Key.\n* A JSON object, with two fields, `key` and `metadata`. `key` contains the API Key. `metadata` contains arbitrary JSON\n metadata associated with the key, which may be used by other policies. For example, you may write an authorization\n policy allow `apiKey.group == 'sales'`.\n\nExample:\n\napiVersion: v1\nkind: Secret\nmetadata:\n name: api-key\nstringData:\n client1: |\n {\n \"key\": \"k-123\",\n \"metadata\": {\n \"group\": \"sales\",\n \"created_at\": \"2024-10-01T12:00:00Z\",\n }\n }\n client2: \"k-456\"", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "secretSelector": { "description": "secretSelector selects multiple secrets containing API Keys. If the same key is defined in multiple secrets, the\nbehavior is undefined.\n\nEach entry in the Secret represents one API Key. The key is an arbitrary identifier. The value can either be:\n* A string, representing the API Key.\n* A JSON object, with two fields, `key` and `metadata`. `key` contains the API Key. `metadata` contains arbitrary JSON\n metadata associated with the key, which may be used by other policies. For example, you may write an authorization\n policy allow `apiKey.group == 'sales'`.\n\nExample:\n\napiVersion: v1\nkind: Secret\nmetadata:\n name: api-key\nstringData:\n client1: |\n {\n \"key\": \"k-123\",\n \"metadata\": {\n \"group\": \"sales\",\n \"created_at\": \"2024-10-01T12:00:00Z\",\n }\n }\n client2: \"k-456\"", "properties": { "matchLabels": { "additionalProperties": { "type": "string" }, "description": "Label selector to select the target resource.", "type": "object" } }, "required": [ "matchLabels" ], "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [secretRef secretSelector] must be set", "rule": "[has(self.secretRef),has(self.secretSelector)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "authorization": { "description": "authorization specifies the access rules based on roles and permissions.\nIf multiple authorization rules are applied across different policies (at the same, or different, attahcment points),\nall rules are merged.", "properties": { "action": { "default": "Allow", "description": "Action defines whether the rule allows or denies the request if matched.\nIf unspecified, the default is \"Allow\".", "enum": [ "Allow", "Deny" ], "type": "string" }, "policy": { "description": "Policy specifies the Authorization rule to evaluate.\nA policy matches when **any** of the conditions evaluates to true.", "properties": { "matchExpressions": { "description": "MatchExpressions defines a set of conditions that must be satisfied for the rule to match.\nThese expression should be in the form of a Common Expression Language (CEL) expression.", "items": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "maxItems": 256, "minItems": 1, "type": "array" } }, "required": [ "matchExpressions" ], "type": "object", "additionalProperties": false } }, "required": [ "policy" ], "type": "object", "additionalProperties": false }, "basicAuthentication": { "description": "basicAuthentication authenticates users based on the \"Basic\" authentication scheme (RFC 7617), where a username and password\nare encoded in the request.", "properties": { "mode": { "default": "Strict", "description": "validation mode for basic auth authentication.", "enum": [ "Strict", "Optional" ], "type": "string" }, "realm": { "description": "realm specifies the 'realm' to return in the WWW-Authenticate header for failed authentication requests.\nIf unset, \"Restricted\" will be used.", "type": "string" }, "secretRef": { "description": "secretRef references a Kubernetes secret storing the .htaccess file. The Secret must have a key named '.htaccess',\nand should contain the complete .htaccess file.\n\nNote: passwords should be the hash of the password, not the raw password. Use the `htpasswd` or similar commands\nto generate a hash. MD5, bcrypt, crypt, and SHA-1 are supported.\n\nExample:\n\napiVersion: v1\nkind: Secret\nmetadata:\n name: basic-auth\nstringData:\n .htaccess: |\n alice:$apr1$3zSE0Abt$IuETi4l5yO87MuOrbSE4V.\n bob:$apr1$Ukb5LgRD$EPY2lIfY.A54jzLELNIId/", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "users": { "description": "users provides an inline list of username/password pairs that will be accepted.\nEach entry represents one line of the htpasswd format: https://httpd.apache.org/docs/2.4/programs/htpasswd.html.\n\nNote: passwords should be the hash of the password, not the raw password. Use the `htpasswd` or similar commands\nto generate a hash. MD5, bcrypt, crypt, and SHA-1 are supported.\n\nExample:\nusers:\n- \"user1:$apr1$ivPt0D4C$DmRhnewfHRSrb3DQC.WHC.\"\n- \"user2:$2y$05$r3J4d3VepzFkedkd/q1vI.pBYIpSqjfN0qOARV3ScUHysatnS0cL2\"", "items": { "type": "string" }, "maxItems": 256, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [users secretRef] must be set", "rule": "[has(self.users),has(self.secretRef)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "cors": { "description": "cors specifies the CORS configuration for the policy.", "properties": { "allowCredentials": { "description": "AllowCredentials indicates whether the actual cross-origin request allows\nto include credentials.\n\nWhen set to true, the gateway will include the `Access-Control-Allow-Credentials`\nresponse header with value true (case-sensitive).\n\nWhen set to false or omitted the gateway will omit the header\n`Access-Control-Allow-Credentials` entirely (this is the standard CORS\nbehavior).\n\nSupport: Extended", "type": "boolean" }, "allowHeaders": { "description": "AllowHeaders indicates which HTTP request headers are supported for\naccessing the requested resource.\n\nHeader names are not case sensitive.\n\nMultiple header names in the value of the `Access-Control-Allow-Headers`\nresponse header are separated by a comma (\",\").\n\nWhen the `AllowHeaders` field is configured with one or more headers, the\ngateway must return the `Access-Control-Allow-Headers` response header\nwhich value is present in the `AllowHeaders` field.\n\nIf any header name in the `Access-Control-Request-Headers` request header\nis not included in the list of header names specified by the response\nheader `Access-Control-Allow-Headers`, it will present an error on the\nclient side.\n\nIf any header name in the `Access-Control-Allow-Headers` response header\ndoes not recognize by the client, it will also occur an error on the\nclient side.\n\nA wildcard indicates that the requests with all HTTP headers are allowed.\nThe `Access-Control-Allow-Headers` response header can only use `*`\nwildcard as value when the `AllowCredentials` field is false or omitted.\n\nWhen the `AllowCredentials` field is true and `AllowHeaders` field\nspecified with the `*` wildcard, the gateway must specify one or more\nHTTP headers in the value of the `Access-Control-Allow-Headers` response\nheader. The value of the header `Access-Control-Allow-Headers` is same as\nthe `Access-Control-Request-Headers` header provided by the client. If\nthe header `Access-Control-Request-Headers` is not included in the\nrequest, the gateway will omit the `Access-Control-Allow-Headers`\nresponse header, instead of specifying the `*` wildcard. A Gateway\nimplementation may choose to add implementation-specific default headers.\n\nSupport: Extended", "items": { "description": "HTTPHeaderName is the name of an HTTP header.\n\nValid values include:\n\n* \"Authorization\"\n* \"Set-Cookie\"\n\nInvalid values include:\n\n - \":method\" - \":\" is an invalid character. This means that HTTP/2 pseudo\n headers are not currently supported by this type.\n - \"/invalid\" - \"/ \" is an invalid character", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "maxItems": 64, "type": "array", "x-kubernetes-list-type": "set" }, "allowMethods": { "description": "AllowMethods indicates which HTTP methods are supported for accessing the\nrequested resource.\n\nValid values are any method defined by RFC9110, along with the special\nvalue `*`, which represents all HTTP methods are allowed.\n\nMethod names are case sensitive, so these values are also case-sensitive.\n(See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1)\n\nMultiple method names in the value of the `Access-Control-Allow-Methods`\nresponse header are separated by a comma (\",\").\n\nA CORS-safelisted method is a method that is `GET`, `HEAD`, or `POST`.\n(See https://fetch.spec.whatwg.org/#cors-safelisted-method) The\nCORS-safelisted methods are always allowed, regardless of whether they\nare specified in the `AllowMethods` field.\n\nWhen the `AllowMethods` field is configured with one or more methods, the\ngateway must return the `Access-Control-Allow-Methods` response header\nwhich value is present in the `AllowMethods` field.\n\nIf the HTTP method of the `Access-Control-Request-Method` request header\nis not included in the list of methods specified by the response header\n`Access-Control-Allow-Methods`, it will present an error on the client\nside.\n\nThe `Access-Control-Allow-Methods` response header can only use `*`\nwildcard as value when the `AllowCredentials` field is false or omitted.\n\nWhen the `AllowCredentials` field is true and `AllowMethods` field\nspecified with the `*` wildcard, the gateway must specify one HTTP method\nin the value of the Access-Control-Allow-Methods response header. The\nvalue of the header `Access-Control-Allow-Methods` is same as the\n`Access-Control-Request-Method` header provided by the client. If the\nheader `Access-Control-Request-Method` is not included in the request,\nthe gateway will omit the `Access-Control-Allow-Methods` response header,\ninstead of specifying the `*` wildcard. A Gateway implementation may\nchoose to add implementation-specific default methods.\n\nSupport: Extended", "items": { "enum": [ "GET", "HEAD", "POST", "PUT", "DELETE", "CONNECT", "OPTIONS", "TRACE", "PATCH", "*" ], "type": "string" }, "maxItems": 9, "type": "array", "x-kubernetes-list-type": "set", "x-kubernetes-validations": [ { "message": "AllowMethods cannot contain '*' alongside other methods", "rule": "!('*' in self && self.size() > 1)" } ] }, "allowOrigins": { "description": "AllowOrigins indicates whether the response can be shared with requested\nresource from the given `Origin`.\n\nThe `Origin` consists of a scheme and a host, with an optional port, and\ntakes the form `://(:)`.\n\nValid values for scheme are: `http` and `https`.\n\nValid values for port are any integer between 1 and 65535 (the list of\navailable TCP/UDP ports). Note that, if not included, port `80` is\nassumed for `http` scheme origins, and port `443` is assumed for `https`\norigins. This may affect origin matching.\n\nThe host part of the origin may contain the wildcard character `*`. These\nwildcard characters behave as follows:\n\n* `*` is a greedy match to the _left_, including any number of\n DNS labels to the left of its position. This also means that\n `*` will include any number of period `.` characters to the\n left of its position.\n* A wildcard by itself matches all hosts.\n\nAn origin value that includes _only_ the `*` character indicates requests\nfrom all `Origin`s are allowed.\n\nWhen the `AllowOrigins` field is configured with multiple origins, it\nmeans the server supports clients from multiple origins. If the request\n`Origin` matches the configured allowed origins, the gateway must return\nthe given `Origin` and sets value of the header\n`Access-Control-Allow-Origin` same as the `Origin` header provided by the\nclient.\n\nThe status code of a successful response to a \"preflight\" request is\nalways an OK status (i.e., 204 or 200).\n\nIf the request `Origin` does not match the configured allowed origins,\nthe gateway returns 204/200 response but doesn't set the relevant\ncross-origin response headers. Alternatively, the gateway responds with\n403 status to the \"preflight\" request is denied, coupled with omitting\nthe CORS headers. The cross-origin request fails on the client side.\nTherefore, the client doesn't attempt the actual cross-origin request.\n\nThe `Access-Control-Allow-Origin` response header can only use `*`\nwildcard as value when the `AllowCredentials` field is false or omitted.\n\nWhen the `AllowCredentials` field is true and `AllowOrigins` field\nspecified with the `*` wildcard, the gateway must return a single origin\nin the value of the `Access-Control-Allow-Origin` response header,\ninstead of specifying the `*` wildcard. The value of the header\n`Access-Control-Allow-Origin` is same as the `Origin` header provided by\nthe client.\n\nSupport: Extended", "items": { "description": "The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and\nencoding rules specified in RFC3986. The CORSOrigin MUST include both a\nscheme (e.g., \"http\" or \"spiffe\") and a scheme-specific-part, or it should be a single '*' character.\nURIs that include an authority MUST include a fully qualified domain name or\nIP address as the host.\n The below regex was generated to simplify the assertion of scheme://host: being port optional ", "maxLength": 253, "minLength": 1, "pattern": "(^\\*$)|(^([a-zA-Z][a-zA-Z0-9+\\-.]+):\\/\\/([^:/?#]+)(:([0-9]{1,5}))?$)", "type": "string" }, "maxItems": 64, "type": "array", "x-kubernetes-list-type": "set", "x-kubernetes-validations": [ { "message": "AllowOrigins cannot contain '*' alongside other origins", "rule": "!('*' in self && self.size() > 1)" } ] }, "exposeHeaders": { "description": "ExposeHeaders indicates which HTTP response headers can be exposed\nto client-side scripts in response to a cross-origin request.\n\nA CORS-safelisted response header is an HTTP header in a CORS response\nthat it is considered safe to expose to the client scripts.\nThe CORS-safelisted response headers include the following headers:\n`Cache-Control`\n`Content-Language`\n`Content-Length`\n`Content-Type`\n`Expires`\n`Last-Modified`\n`Pragma`\n(See https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name)\nThe CORS-safelisted response headers are exposed to client by default.\n\nWhen an HTTP header name is specified using the `ExposeHeaders` field,\nthis additional header will be exposed as part of the response to the\nclient.\n\nHeader names are not case sensitive.\n\nMultiple header names in the value of the `Access-Control-Expose-Headers`\nresponse header are separated by a comma (\",\").\n\nA wildcard indicates that the responses with all HTTP headers are exposed\nto clients. The `Access-Control-Expose-Headers` response header can only\nuse `*` wildcard as value when the `AllowCredentials` field is false or omitted.\n\nSupport: Extended", "items": { "description": "HTTPHeaderName is the name of an HTTP header.\n\nValid values include:\n\n* \"Authorization\"\n* \"Set-Cookie\"\n\nInvalid values include:\n\n - \":method\" - \":\" is an invalid character. This means that HTTP/2 pseudo\n headers are not currently supported by this type.\n - \"/invalid\" - \"/ \" is an invalid character", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "maxItems": 64, "type": "array", "x-kubernetes-list-type": "set" }, "maxAge": { "default": 5, "description": "MaxAge indicates the duration (in seconds) for the client to cache the\nresults of a \"preflight\" request.\n\nThe information provided by the `Access-Control-Allow-Methods` and\n`Access-Control-Allow-Headers` response headers can be cached by the\nclient until the time specified by `Access-Control-Max-Age` elapses.\n\nThe default value of `Access-Control-Max-Age` response header is 5\n(seconds).", "format": "int32", "minimum": 1, "type": "integer" } }, "type": "object", "x-kubernetes-preserve-unknown-fields": true, "additionalProperties": false }, "csrf": { "description": "csrf specifies the Cross-Site Request Forgery (CSRF) policy for this traffic policy.\n\nThe CSRF policy has the following behavior:\n* Safe methods (GET, HEAD, OPTIONS) are automatically allowed\n* Requests without Sec-Fetch-Site or Origin headers are assumed to be same-origin or non-browser requests and are allowed.\n* Otherwise, the Sec-Fetch-Site header is checked, with a fallback to comparing the Origin header to the Host header.", "properties": { "additionalOrigins": { "description": "additionalOrigin specifies additional source origins that will be allowed in addition to the destination origin. The\n`Origin` consists of a scheme and a host, with an optional port, and takes the form `://(:)`.", "items": { "maxLength": 256, "minLength": 1, "type": "string" }, "maxItems": 16, "minItems": 1, "type": "array" } }, "type": "object", "additionalProperties": false }, "directResponse": { "description": "direct response configures the policy to send a direct response to the client.", "properties": { "body": { "description": "Body defines the content to be returned in the HTTP response body.\nThe maximum length of the body is restricted to prevent excessively large responses.\nIf this field is omitted, no body is included in the response.", "maxLength": 4096, "minLength": 1, "type": "string" }, "status": { "description": "StatusCode defines the HTTP status code to return for this route.", "format": "int32", "maximum": 599, "minimum": 200, "type": "integer" } }, "required": [ "status" ], "type": "object", "additionalProperties": false }, "extAuth": { "description": "extAuth specifies the external authentication configuration for the policy.\nThis controls what external server to send requests to for authentication.", "properties": { "backendRef": { "description": "backendRef references the External Authorization server to reach.\n\nSupported types: Service and Backend.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "forwardBody": { "description": "forwardBody configures whether to include the HTTP body in the request. If enabled, the request body will be\nbuffered.", "properties": { "maxSize": { "description": "maxSize specifies how large in bytes the largest body that will be buffered and sent to the authorization server. If\nthe body size is larger than maxSize, then the request will be rejected with a response.", "format": "int32", "minimum": 1, "type": "integer" } }, "required": [ "maxSize" ], "type": "object", "additionalProperties": false }, "grpc": { "description": "grpc specifies that the gRPC External Authorization\n[protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto) should be used.", "properties": { "contextExtensions": { "additionalProperties": { "type": "string" }, "description": "contextExtensions specifies additional arbitrary key-value pairs to send to the authorization server in the `context_extensions` field.", "maxProperties": 64, "type": "object" }, "requestMetadata": { "additionalProperties": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "description": "requestMetadata specifies metadata to be sent *to* the authorization server.\nThis maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions.\nIf unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.", "maxProperties": 64, "type": "object" } }, "type": "object", "additionalProperties": false }, "http": { "description": "http specifies that the HTTP protocol should be used for connecting to the authorization server.\nThe authorization server must return a `200` status code, otherwise the request is considered an authorization failure.", "properties": { "addRequestHeaders": { "additionalProperties": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "description": "addRequestHeaders specifies what additional headers to add to the request to the authorization server.\nWhile allowedRequestHeaders just passes the original headers through, addRequestHeaders allows defining custom headers\nbased on CEL Expressions.", "maxProperties": 64, "type": "object" }, "allowedRequestHeaders": { "description": "allowedRequestHeaders specifies what additional headers from the client request\nwill be sent to the authorization server.\n\nIf unset, the following headers are sent by default: `Authorization`.", "items": { "maxLength": 256, "minLength": 1, "type": "string" }, "maxItems": 64, "type": "array" }, "allowedResponseHeaders": { "description": "allowedResponseHeaders specifies what headers from the authorization response\nwill be copied into the request to the backend.", "items": { "maxLength": 256, "minLength": 1, "type": "string" }, "maxItems": 64, "type": "array" }, "path": { "description": "path specifies the path to send to the authorization server. If unset, this defaults to the original request path.\nThis is a CEL expression, which allows customizing the path based on the incoming request.\nFor example, to add a prefix: `path: '\"/prefix/\" + request.path'`.", "maxLength": 16384, "minLength": 1, "type": "string" }, "redirect": { "description": "redirect defines an optional expression to determine a path to redirect to on authorization failure.\nThis is useful to redirect to a sign-in page.", "maxLength": 16384, "minLength": 1, "type": "string" }, "responseMetadata": { "additionalProperties": { "description": "CELExpression represents a Common Expression Language (CEL) expression.", "maxLength": 16384, "minLength": 1, "type": "string" }, "description": "responseMetadata specifies what metadata fields should be constructed *from* the authorization response. These will be\nincluded under the `extauthz` variable in future CEL expressions. Setting this is useful to do things like logging\nusernames, without needing to include them as headers to the backend (as `allowedResponseHeaders` would).", "maxProperties": 64, "type": "object" } }, "type": "object", "additionalProperties": false } }, "required": [ "backendRef" ], "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [grpc http] must be set", "rule": "[has(self.grpc),has(self.http)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "extProc": { "description": "extProc specifies the external processing configuration for the policy.", "properties": { "backendRef": { "description": "backendRef references the External Processor server to reach.\nSupported types: Service and Backend.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false } }, "required": [ "backendRef" ], "type": "object", "additionalProperties": false }, "headerModifiers": { "description": "headerModifiers defines the policy to modify request and response headers.", "properties": { "request": { "description": "Request modifies request headers.", "properties": { "add": { "description": "Add adds the given header(s) (name, value) to the request\nbefore the action. It appends to any existing values associated\nwith the header name.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n add:\n - name: \"my-header\"\n value: \"bar,baz\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: foo,bar,baz", "items": { "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", "properties": { "name": { "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "value": { "description": "Value is the value of HTTP Header to be matched.", "maxLength": 4096, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "remove": { "description": "Remove the given header(s) from the HTTP request before the action. The\nvalue of Remove is a list of HTTP header names. Note that the header\nnames are case-insensitive (see\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\n\nInput:\n GET /foo HTTP/1.1\n my-header1: foo\n my-header2: bar\n my-header3: baz\n\nConfig:\n remove: [\"my-header1\", \"my-header3\"]\n\nOutput:\n GET /foo HTTP/1.1\n my-header2: bar", "items": { "type": "string" }, "maxItems": 16, "type": "array", "x-kubernetes-list-type": "set" }, "set": { "description": "Set overwrites the request with the given header (name, value)\nbefore the action.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n set:\n - name: \"my-header\"\n value: \"bar\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: bar", "items": { "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", "properties": { "name": { "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "value": { "description": "Value is the value of HTTP Header to be matched.", "maxLength": 4096, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" } }, "type": "object", "additionalProperties": false }, "response": { "description": "Response modifies response headers.", "properties": { "add": { "description": "Add adds the given header(s) (name, value) to the request\nbefore the action. It appends to any existing values associated\nwith the header name.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n add:\n - name: \"my-header\"\n value: \"bar,baz\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: foo,bar,baz", "items": { "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", "properties": { "name": { "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "value": { "description": "Value is the value of HTTP Header to be matched.", "maxLength": 4096, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "remove": { "description": "Remove the given header(s) from the HTTP request before the action. The\nvalue of Remove is a list of HTTP header names. Note that the header\nnames are case-insensitive (see\nhttps://datatracker.ietf.org/doc/html/rfc2616#section-4.2).\n\nInput:\n GET /foo HTTP/1.1\n my-header1: foo\n my-header2: bar\n my-header3: baz\n\nConfig:\n remove: [\"my-header1\", \"my-header3\"]\n\nOutput:\n GET /foo HTTP/1.1\n my-header2: bar", "items": { "type": "string" }, "maxItems": 16, "type": "array", "x-kubernetes-list-type": "set" }, "set": { "description": "Set overwrites the request with the given header (name, value)\nbefore the action.\n\nInput:\n GET /foo HTTP/1.1\n my-header: foo\n\nConfig:\n set:\n - name: \"my-header\"\n value: \"bar\"\n\nOutput:\n GET /foo HTTP/1.1\n my-header: bar", "items": { "description": "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", "properties": { "name": { "description": "Name is the name of the HTTP Header to be matched. Name matching MUST be\ncase-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).\n\nIf multiple entries specify equivalent header names, the first entry with\nan equivalent name MUST be considered for a match. Subsequent entries\nwith an equivalent header name MUST be ignored. Due to the\ncase-insensitivity of header names, \"foo\" and \"Foo\" are considered\nequivalent.", "maxLength": 256, "minLength": 1, "pattern": "^[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string" }, "value": { "description": "Value is the value of HTTP Header to be matched.", "maxLength": 4096, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" } }, "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [request response] must be set", "rule": "[has(self.request),has(self.response)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "hostRewrite": { "description": "hostRewrite specifies how to rewrite the Host header for requests.\n\nIf the HTTPRoute `urlRewrite` filter already specifies a host rewrite, this setting is ignored.", "enum": [ "Auto", "None" ], "properties": { "mode": { "description": "mode sets the hostname rewrite mode.\n\nThe following may be specified:\n* Auto: automatically set the Host header based on the destination.\n* None: do not rewrite the Host header. The original Host header will be passed through.\n\nThis setting defaults to Auto when connecting to hostname-based Backend types, and None otherwise (for Service or\nIP-based Backends).", "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "jwtAuthentication": { "description": "jwtAuthentication authenticates users based on JWT tokens.", "properties": { "mode": { "default": "Strict", "description": "validation mode for JWT authentication.", "enum": [ "Strict", "Optional", "Permissive" ], "type": "string" }, "providers": { "items": { "properties": { "audiences": { "description": "audiences specifies the list of allowed audiences that are allowed access. This corresponds to the 'aud' claim (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3).\nIf unset, any audience is allowed.", "items": { "type": "string" }, "maxItems": 64, "minItems": 1, "type": "array" }, "issuer": { "description": "issuer identifies the IdP that issued the JWT. This corresponds to the 'iss' claim (https://tools.ietf.org/html/rfc7519#section-4.1.1).", "maxLength": 256, "minLength": 1, "type": "string" }, "jwks": { "description": "jwks defines the JSON Web Key Set used to validate the signature of the JWT.", "properties": { "inline": { "description": "inline specifies an inline JSON Web Key Set used validate the signature of the JWT.", "maxLength": 65536, "minLength": 2, "type": "string" }, "remote": { "description": "remote specifies how to reach the JSON Web Key Set from a remote address.", "properties": { "backendRef": { "description": "backendRef references the remote JWKS server to reach.\nSupported types are Service and (static) Backend. An AgentgatewayPolicy containing backend tls config\ncan then be attached to the service/backend in order to set tls options for a connection to the remote jwks source.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "cacheDuration": { "default": "5m", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "cacheDuration must be at least 5m.", "rule": "duration(self) >= duration('5m')" } ] }, "jwksPath": { "description": "Path to IdP jwks endpoint, relative to the root, commonly \".well-known/jwks.json\".", "maxLength": 2000, "minLength": 1, "type": "string" } }, "required": [ "backendRef", "jwksPath" ], "type": "object", "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [remote inline] must be set", "rule": "[has(self.remote),has(self.inline)].filter(x,x==true).size() == 1" } ], "additionalProperties": false } }, "required": [ "issuer", "jwks" ], "type": "object", "additionalProperties": false }, "maxItems": 64, "minItems": 1, "type": "array" } }, "required": [ "providers" ], "type": "object", "additionalProperties": false }, "phase": { "description": "The phase to apply the traffic policy to. If the phase is PreRouting, the targetRef must be a Gateway or a Listener.\nPreRouting is typically used only when a policy needs to influence the routing decision.\n\nEven when using PostRouting mode, the policy can target the Gateway/Listener. This is a helper for applying the policy\nto all routes under that Gateway/Listener, and follows the merging logic described above.\n\nNote: PreRouting and PostRouting rules do not merge together. These are independent execution phases. That is, all\nPreRouting rules will merge and execute, then all PostRouting rules will merge and execute.\n\nIf unset, this defaults to PostRouting.", "enum": [ "PreRouting", "PostRouting" ], "type": "string" }, "rateLimit": { "description": "rateLimit specifies the rate limiting configuration for the policy.\nThis controls the rate at which requests are allowed to be processed.", "properties": { "global": { "description": "Global defines a global rate limiting policy using an external service.", "properties": { "backendRef": { "description": "backendRef references the Rate Limit server to reach.\nSupported types: Service and Backend.", "properties": { "group": { "default": "", "description": "Group is the group of the referent. For example, \"gateway.networking.k8s.io\".\nWhen unspecified or empty string, core API group is inferred.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Service", "description": "Kind is the Kubernetes resource kind of the referent. For example\n\"Service\".\n\nDefaults to \"Service\" when not specified.\n\nExternalName services can refer to CNAME DNS records that may live\noutside of the cluster and as such are difficult to reason about in\nterms of conformance. They also may not be safe to forward to (see\nCVE-2021-25740 for more information). Implementations SHOULD NOT\nsupport ExternalName Services.\n\nSupport: Core (Services with a type other than ExternalName)\n\nSupport: Implementation-specific (Services with type ExternalName)", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the backend. When unspecified, the local\nnamespace is inferred.\n\nNote that when a namespace different than the local namespace is specified,\na ReferenceGrant object is required in the referent namespace to allow that\nnamespace's owner to accept the reference. See the ReferenceGrant\ndocumentation for details.\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port specifies the destination port number to use for this resource.\nPort is required when the referent is a Kubernetes Service. In this\ncase, the port number is the service port number, not the target port.\nFor other resources, destination port might be derived from the referent\nresource or this field.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" } }, "required": [ "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Must have port for Service reference", "rule": "(size(self.group) == 0 && self.kind == 'Service') ? has(self.port) : true" } ], "additionalProperties": false }, "descriptors": { "description": "Descriptors define the dimensions for rate limiting. These values are passed to the rate limit service which applies\nconfigured limits based on them. Each descriptor represents a single rate limit rule with one or more entries.", "items": { "properties": { "entries": { "description": "entries are the individual components that make up this descriptor.", "items": { "description": "A descriptor entry defines a single entry in a rate limit descriptor.", "properties": { "expression": { "description": "expression is a Common Expression Language (CEL) expression that defines the value for the descriptor.\n\nFor example, to rate limit based on the Client IP: `source.address`.\n\nSee https://agentgateway.dev/docs/reference/cel/ for more info.", "maxLength": 16384, "minLength": 1, "type": "string" }, "name": { "description": "name specifies the name of the descriptor.", "maxLength": 64, "minLength": 1, "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array" }, "unit": { "description": "unit defines what to use as the cost function. If unspecified, Requests is used.", "enum": [ "Requests", "Tokens" ], "type": "string" } }, "required": [ "entries" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array" }, "domain": { "description": "domain specifies the domain under which this limit should apply.\nThis is an arbitrary string that enables a rate limit server to distinguish between different applications.", "maxLength": 256, "minLength": 1, "type": "string" } }, "required": [ "backendRef", "descriptors", "domain" ], "type": "object", "additionalProperties": false }, "local": { "description": "Local defines a local rate limiting policy.", "items": { "description": "Policy for local rate limiting. Local rate limits are handled locally on a per-proxy basis, without co-ordination\nbetween instances of the proxy.", "properties": { "burst": { "description": "burst specifies an allowance of requests above the request-per-unit that should be allowed within a short period of time.", "format": "int32", "type": "integer" }, "requests": { "description": "requests specifies the number of HTTP requests per unit of time that are allowed. Requests exceeding this limit will fail with\na 429 error.", "format": "int32", "minimum": 1, "type": "integer" }, "tokens": { "description": "tokens specifies the number of LLM tokens per unit of time that are allowed. Requests exceeding this limit will fail\nwith a 429 error.\n\nBoth input and output tokens are counted. However, token counts are not known until the request completes. As a\nresult, token-based rate limits will apply to future requests only.", "format": "int32", "minimum": 1, "type": "integer" }, "unit": { "description": "unit specifies the unit of time that requests are limited based on.", "enum": [ "Seconds", "Minutes", "Hours" ], "type": "string" } }, "required": [ "unit" ], "type": "object", "x-kubernetes-validations": [ { "message": "exactly one of the fields in [requests tokens] must be set", "rule": "[has(self.requests),has(self.tokens)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [local global] must be set", "rule": "[has(self.local),has(self.global)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "retry": { "description": "retry defines the policy for retrying requests.", "properties": { "attempts": { "description": "Attempts specifies the maximum number of times an individual request\nfrom the gateway to a backend should be retried.\n\nIf the maximum number of retries has been attempted without a successful\nresponse from the backend, the Gateway MUST return an error.\n\nWhen this field is unspecified, the number of times to attempt to retry\na backend request is implementation-specific.\n\nSupport: Extended", "type": "integer" }, "backoff": { "description": "Backoff specifies the minimum duration a Gateway should wait between\nretry attempts and is represented in Gateway API Duration formatting.\n\nFor example, setting the `rules[].retry.backoff` field to the value\n`100ms` will cause a backend request to first be retried approximately\n100 milliseconds after timing out or receiving a response code configured\nto be retryable.\n\nAn implementation MAY use an exponential or alternative backoff strategy\nfor subsequent retry attempts, MAY cap the maximum backoff duration to\nsome amount greater than the specified minimum, and MAY add arbitrary\njitter to stagger requests, as long as unsuccessful backend requests are\nnot retried before the configured minimum duration.\n\nIf a Request timeout (`rules[].timeouts.request`) is configured on the\nroute, the entire duration of the initial request and any retry attempts\nMUST not exceed the Request timeout duration. If any retry attempts are\nstill in progress when the Request timeout duration has been reached,\nthese SHOULD be canceled if possible and the Gateway MUST immediately\nreturn a timeout error.\n\nIf a BackendRequest timeout (`rules[].timeouts.backendRequest`) is\nconfigured on the route, any retry attempts which reach the configured\nBackendRequest timeout duration without a response SHOULD be canceled if\npossible and the Gateway should wait for at least the specified backoff\nduration before attempting to retry the backend request again.\n\nIf a BackendRequest timeout is _not_ configured on the route, retry\nattempts MAY time out after an implementation default duration, or MAY\nremain pending until a configured Request timeout or implementation\ndefault duration for total request time is reached.\n\nWhen this field is unspecified, the time to wait between retry attempts\nis implementation-specific.\n\nSupport: Extended", "pattern": "^([0-9]{1,5}(h|m|s|ms)){1,4}$", "type": "string" }, "codes": { "description": "Codes defines the HTTP response status codes for which a backend request\nshould be retried.\n\nSupport: Extended", "items": { "description": "HTTPRouteRetryStatusCode defines an HTTP response status code for\nwhich a backend request should be retried.\n\nImplementations MUST support the following status codes as retryable:\n\n* 500\n* 502\n* 503\n* 504\n\nImplementations MAY support specifying additional discrete values in the\n500-599 range.\n\nImplementations MAY support specifying discrete values in the 400-499 range,\nwhich are often inadvisable to retry.\n\n", "maximum": 599, "minimum": 400, "type": "integer" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, "timeouts": { "description": "timeouts defines the timeouts for requests\nIt is applicable to HTTPRoutes and ignored for other targeted kinds.", "properties": { "request": { "description": "request specifies a timeout for an individual request from the gateway to a backend. This covers the time from when\nthe request first starts being sent from the gateway to when the full response has been received from the backend.", "type": "string", "x-kubernetes-validations": [ { "message": "invalid duration value", "rule": "matches(self, '^([0-9]{1,5}(h|m|s|ms)){1,4}$')" }, { "message": "request must be at least 1ms", "rule": "duration(self) >= duration('100ms')" } ] } }, "type": "object", "additionalProperties": false }, "transformation": { "description": "transformation is used to mutate and transform requests and responses\nbefore forwarding them to the destination.", "properties": { "request": { "description": "request is used to modify the request path.", "properties": { "add": { "description": "add is a list of headers to add to the request and what that value should be set to. If there is already a header\nwith these values then append the value as an extra entry.", "items": { "properties": { "name": { "description": "the name of the header to add.", "maxLength": 256, "minLength": 1, "pattern": "^:?[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string", "x-kubernetes-validations": [ { "message": "pseudo-headers must be one of :authority, :method, :path, :scheme, or :status", "rule": "!self.startsWith(':') || self in [':authority', ':method', ':path', ':scheme', ':status']" } ] }, "value": { "description": "value is the CEL expression to apply to generate the output value for the header.", "maxLength": 16384, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "body": { "description": "body controls manipulation of the HTTP body.", "maxLength": 16384, "minLength": 1, "type": "string" }, "remove": { "description": "Remove is a list of header names to remove from the request/response.", "items": { "description": "An HTTP Header Name.", "maxLength": 256, "minLength": 1, "pattern": "^:?[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string", "x-kubernetes-validations": [ { "message": "pseudo-headers must be one of :authority, :method, :path, :scheme, or :status", "rule": "!self.startsWith(':') || self in [':authority', ':method', ':path', ':scheme', ':status']" } ] }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "set": { "description": "set is a list of headers and the value they should be set to.", "items": { "properties": { "name": { "description": "the name of the header to add.", "maxLength": 256, "minLength": 1, "pattern": "^:?[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string", "x-kubernetes-validations": [ { "message": "pseudo-headers must be one of :authority, :method, :path, :scheme, or :status", "rule": "!self.startsWith(':') || self in [':authority', ':method', ':path', ':scheme', ':status']" } ] }, "value": { "description": "value is the CEL expression to apply to generate the output value for the header.", "maxLength": 16384, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [set add remove body] must be set", "rule": "[has(self.set),has(self.add),has(self.remove),has(self.body)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false }, "response": { "description": "response is used to modify the response path.", "properties": { "add": { "description": "add is a list of headers to add to the request and what that value should be set to. If there is already a header\nwith these values then append the value as an extra entry.", "items": { "properties": { "name": { "description": "the name of the header to add.", "maxLength": 256, "minLength": 1, "pattern": "^:?[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string", "x-kubernetes-validations": [ { "message": "pseudo-headers must be one of :authority, :method, :path, :scheme, or :status", "rule": "!self.startsWith(':') || self in [':authority', ':method', ':path', ':scheme', ':status']" } ] }, "value": { "description": "value is the CEL expression to apply to generate the output value for the header.", "maxLength": 16384, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" }, "body": { "description": "body controls manipulation of the HTTP body.", "maxLength": 16384, "minLength": 1, "type": "string" }, "remove": { "description": "Remove is a list of header names to remove from the request/response.", "items": { "description": "An HTTP Header Name.", "maxLength": 256, "minLength": 1, "pattern": "^:?[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string", "x-kubernetes-validations": [ { "message": "pseudo-headers must be one of :authority, :method, :path, :scheme, or :status", "rule": "!self.startsWith(':') || self in [':authority', ':method', ':path', ':scheme', ':status']" } ] }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "set": { "description": "set is a list of headers and the value they should be set to.", "items": { "properties": { "name": { "description": "the name of the header to add.", "maxLength": 256, "minLength": 1, "pattern": "^:?[A-Za-z0-9!#$%&'*+\\-.^_\\x60|~]+$", "type": "string", "x-kubernetes-validations": [ { "message": "pseudo-headers must be one of :authority, :method, :path, :scheme, or :status", "rule": "!self.startsWith(':') || self in [':authority', ':method', ':path', ':scheme', ':status']" } ] }, "value": { "description": "value is the CEL expression to apply to generate the output value for the header.", "maxLength": 16384, "minLength": 1, "type": "string" } }, "required": [ "name", "value" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "minItems": 1, "type": "array", "x-kubernetes-list-map-keys": [ "name" ], "x-kubernetes-list-type": "map" } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [set add remove body] must be set", "rule": "[has(self.set),has(self.add),has(self.remove),has(self.body)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "at least one of the fields in [request response] must be set", "rule": "[has(self.request),has(self.response)].filter(x,x==true).size() >= 1" } ], "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "phase PreRouting only supports extAuth, transformation, extProc, jwtAuthentication, basicAuthentication, and apiKeyAuthentication", "rule": "has(self.phase) && self.phase == 'PreRouting' ? !has(self.rateLimit) && !has(self.cors) && !has(self.csrf) && !has(self.headerModifiers) && !has(self.hostRewrite) && !has(self.timeouts) && !has(self.retry) && !has(self.authorization) && !has(self.directResponse): true" } ], "additionalProperties": false } }, "type": "object", "x-kubernetes-validations": [ { "message": "At least one of traffic, frontend, or backend must be provided.", "rule": "has(self.traffic) || has(self.frontend) || has(self.backend)" }, { "message": "backend.mcp may not be used with a Service target", "rule": "!has(self.backend) || !has(self.backend.mcp) || ((!has(self.targetRefs) || !self.targetRefs.exists(t, t.kind == 'Service')) && (!has(self.targetSelectors) || !self.targetSelectors.exists(t, t.kind == 'Service')))" }, { "message": "backend.ai may not be used with a Service target", "rule": "!has(self.backend) || !has(self.backend.ai) || ((!has(self.targetRefs) || !self.targetRefs.exists(t, t.kind == 'Service')) && (!has(self.targetSelectors) || !self.targetSelectors.exists(t, t.kind == 'Service')))" }, { "message": "the 'frontend' field can only target a Gateway", "rule": "has(self.frontend) && has(self.targetRefs) ? self.targetRefs.all(t, t.kind == 'Gateway' && !has(t.sectionName)) : true" }, { "message": "the 'frontend' field can only target a Gateway", "rule": "has(self.frontend) && has(self.targetSelectors) ? self.targetSelectors.all(t, t.kind == 'Gateway' && !has(t.sectionName)) : true" }, { "message": "the 'traffic' field can only target a Gateway, XListenerSet, or HTTPRoute", "rule": "has(self.traffic) && has(self.targetRefs) ? self.targetRefs.all(t, t.kind in ['Gateway', 'HTTPRoute', 'XListenerSet']) : true" }, { "message": "the 'traffic' field can only target a Gateway, XListenerSet, or HTTPRoute", "rule": "has(self.traffic) && has(self.targetSelectors) ? self.targetSelectors.all(t, t.kind in ['Gateway', 'HTTPRoute', 'XListenerSet']) : true" }, { "message": "the 'traffic.phase=PreRouting' field can only target a Gateway or XListenerSet", "rule": "has(self.targetRefs) && has(self.traffic) && has(self.traffic.phase) && self.traffic.phase == 'PreRouting' ? self.targetRefs.all(t, t.kind in ['Gateway', 'XListenerSet']) : true" }, { "message": "the 'traffic.phase=PreRouting' field can only target a Gateway or XListenerSet", "rule": "has(self.targetSelectors) && has(self.traffic) && has(self.traffic.phase) && self.traffic.phase == 'PreRouting' ? self.targetSelectors.all(t, t.kind in ['Gateway', 'XListenerSet']) : true" }, { "message": "exactly one of the fields in [targetRefs targetSelectors] must be set", "rule": "[has(self.targetRefs),has(self.targetSelectors)].filter(x,x==true).size() == 1" } ], "additionalProperties": false }, "status": { "description": "status defines the current state of AgentgatewayPolicy.", "properties": { "ancestors": { "description": "Ancestors is a list of ancestor resources (usually Gateways) that are\nassociated with the policy, and the status of the policy with respect to\neach ancestor. When this policy attaches to a parent, the controller that\nmanages the parent and the ancestors MUST add an entry to this list when\nthe controller first sees the policy and SHOULD update the entry as\nappropriate when the relevant ancestor is modified.\n\nNote that choosing the relevant ancestor is left to the Policy designers;\nan important part of Policy design is designing the right object level at\nwhich to namespace this status.\n\nNote also that implementations MUST ONLY populate ancestor status for\nthe Ancestor resources they are responsible for. Implementations MUST\nuse the ControllerName field to uniquely identify the entries in this list\nthat they are responsible for.\n\nNote that to achieve this, the list of PolicyAncestorStatus structs\nMUST be treated as a map with a composite key, made up of the AncestorRef\nand ControllerName fields combined.\n\nA maximum of 16 ancestors will be represented in this list. An empty list\nmeans the Policy is not relevant for any ancestors.\n\nIf this slice is full, implementations MUST NOT add further entries.\nInstead they MUST consider the policy unimplementable and signal that\non any related resources such as the ancestor that would be referenced\nhere. For example, if this list was full on BackendTLSPolicy, no\nadditional Gateways would be able to reference the Service targeted by\nthe BackendTLSPolicy.", "items": { "description": "PolicyAncestorStatus describes the status of a route with respect to an\nassociated Ancestor.\n\nAncestors refer to objects that are either the Target of a policy or above it\nin terms of object hierarchy. For example, if a policy targets a Service, the\nPolicy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and\nthe GatewayClass. Almost always, in this hierarchy, the Gateway will be the most\nuseful object to place Policy status on, so we recommend that implementations\nSHOULD use Gateway as the PolicyAncestorStatus object unless the designers\nhave a _very_ good reason otherwise.\n\nIn the context of policy attachment, the Ancestor is used to distinguish which\nresource results in a distinct application of this policy. For example, if a policy\ntargets a Service, it may have a distinct result per attached Gateway.\n\nPolicies targeting the same resource may have different effects depending on the\nancestors of those resources. For example, different Gateways targeting the same\nService may have different capabilities, especially if they have different underlying\nimplementations.\n\nFor example, in BackendTLSPolicy, the Policy attaches to a Service that is\nused as a backend in a HTTPRoute that is itself attached to a Gateway.\nIn this case, the relevant object for status is the Gateway, and that is the\nancestor object referred to in this status.\n\nNote that a parent is also an ancestor, so for objects where the parent is the\nrelevant object for status, this struct SHOULD still be used.\n\nThis struct is intended to be used in a slice that's effectively a map,\nwith a composite key made up of the AncestorRef and the ControllerName.", "properties": { "ancestorRef": { "description": "AncestorRef corresponds with a ParentRef in the spec that this\nPolicyAncestorStatus struct describes the status of.", "properties": { "group": { "default": "gateway.networking.k8s.io", "description": "Group is the group of the referent.\nWhen unspecified, \"gateway.networking.k8s.io\" is inferred.\nTo set the core API group (such as for a \"Service\" kind referent),\nGroup must be explicitly set to \"\" (empty string).\n\nSupport: Core", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "default": "Gateway", "description": "Kind is kind of the referent.\n\nThere are two kinds of parent resources with \"Core\" support:\n\n* Gateway (Gateway conformance profile)\n* Service (Mesh conformance profile, ClusterIP Services only)\n\nSupport for other resources is Implementation-Specific.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "Name is the name of the referent.\n\nSupport: Core", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "Namespace is the namespace of the referent. When unspecified, this refers\nto the local namespace of the Route.\n\nNote that there are specific rules for ParentRefs which cross namespace\nboundaries. Cross-namespace references are only valid if they are explicitly\nallowed by something in the namespace they are referring to. For example:\nGateway has the AllowedRoutes field, and ReferenceGrant provides a\ngeneric way to enable any other kind of cross-namespace reference.\n\n\nParentRefs from a Route to a Service in the same namespace are \"producer\"\nroutes, which apply default routing rules to inbound connections from\nany namespace to the Service.\n\nParentRefs from a Route to a Service in a different namespace are\n\"consumer\" routes, and these routing rules are only applied to outbound\nconnections originating from the same namespace as the Route, for which\nthe intended destination of the connections are a Service targeted as a\nParentRef of the Route.\n\n\nSupport: Core", "maxLength": 63, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "port": { "description": "Port is the network port this Route targets. It can be interpreted\ndifferently based on the type of parent resource.\n\nWhen the parent resource is a Gateway, this targets all listeners\nlistening on the specified port that also support this kind of Route(and\nselect this Route). It's not recommended to set `Port` unless the\nnetworking behaviors specified in a Route must apply to a specific port\nas opposed to a listener(s) whose port(s) may be changed. When both Port\nand SectionName are specified, the name and port of the selected listener\nmust match both specified values.\n\n\nWhen the parent resource is a Service, this targets a specific port in the\nService spec. When both Port (experimental) and SectionName are specified,\nthe name and port of the selected port must match both specified values.\n\n\nImplementations MAY choose to support other parent resources.\nImplementations supporting other types of parent resources MUST clearly\ndocument how/if Port is interpreted.\n\nFor the purpose of status, an attachment is considered successful as\nlong as the parent resource accepts it partially. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment\nfrom the referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route,\nthe Route MUST be considered detached from the Gateway.\n\nSupport: Extended", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" }, "sectionName": { "description": "SectionName is the name of a section within the target resource. In the\nfollowing resources, SectionName is interpreted as the following:\n\n* Gateway: Listener name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n* Service: Port name. When both Port (experimental) and SectionName\nare specified, the name and port of the selected listener must match\nboth specified values.\n\nImplementations MAY choose to support attaching Routes to other resources.\nIf that is the case, they MUST clearly document how SectionName is\ninterpreted.\n\nWhen unspecified (empty string), this will reference the entire resource.\nFor the purpose of status, an attachment is considered successful if at\nleast one section in the parent resource accepts it. For example, Gateway\nlisteners can restrict which Routes can attach to them by Route kind,\nnamespace, or hostname. If 1 of 2 Gateway listeners accept attachment from\nthe referencing Route, the Route MUST be considered successfully\nattached. If no Gateway listeners accept attachment from this Route, the\nRoute MUST be considered detached from the Gateway.\n\nSupport: Core", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions describes the status of the Policy with respect to the given Ancestor.\n\n\n\nNotes for implementors:\n\nConditions are a listType `map`, which means that they function like a\nmap with a key of the `type` field _in the k8s apiserver_.\n\nThis means that implementations must obey some rules when updating this\nsection.\n\n* Implementations MUST perform a read-modify-write cycle on this field\n before modifying it. That is, when modifying this field, implementations\n must be confident they have fetched the most recent version of this field,\n and ensure that changes they make are on that recent version.\n* Implementations MUST NOT remove or reorder Conditions that they are not\n directly responsible for. For example, if an implementation sees a Condition\n with type `special.io/SomeField`, it MUST NOT remove, change or update that\n Condition.\n* Implementations MUST always _merge_ changes into Conditions of the same Type,\n rather than creating more than one Condition of the same Type.\n* Implementations MUST always update the `observedGeneration` field of the\n Condition to the `metadata.generation` of the Gateway at the time of update creation.\n* If the `observedGeneration` of a Condition is _greater than_ the value the\n implementation knows about, then it MUST NOT perform the update on that Condition,\n but must wait for a future reconciliation and status update. (The assumption is that\n the implementation's copy of the object is stale and an update will be re-triggered\n if relevant.)\n\n", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "maxItems": 8, "minItems": 1, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "controllerName": { "description": "ControllerName is a domain/path string that indicates the name of the\ncontroller that wrote this status. This corresponds with the\ncontrollerName field on GatewayClass.\n\nExample: \"example.net/gateway-controller\".\n\nThe format of this field is DOMAIN \"/\" PATH, where DOMAIN and PATH are\nvalid Kubernetes names\n(https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).\n\nControllers MUST populate this field when writing status. Controllers should ensure that\nentries to status populated with their ControllerName are cleaned up when they are no\nlonger necessary.", "maxLength": 253, "minLength": 1, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/[A-Za-z0-9\\/\\-._~%!$&'()*+,;=:]+$", "type": "string" } }, "required": [ "ancestorRef", "conditions", "controllerName" ], "type": "object", "additionalProperties": false }, "maxItems": 16, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "ancestors" ], "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }