BackendTrafficPolicy

gateway.envoyproxy.io / v1alpha1

apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object required

spec defines the desired state of BackendTrafficPolicy.

circuitBreaker object

Circuit Breaker settings for the upstream connections and requests. If not set, circuit breakers will be enabled with the default thresholds

maxConnections integer

The maximum number of connections that Envoy will establish to the referenced backend defined within a xRoute rule.

format: int64

minimum: 0

maximum: 4.294967295e+09

maxParallelRequests integer

The maximum number of parallel requests that Envoy will make to the referenced backend defined within a xRoute rule.

format: int64

minimum: 0

maximum: 4.294967295e+09

maxParallelRetries integer

The maximum number of parallel retries that Envoy will make to the referenced backend defined within a xRoute rule.

format: int64

minimum: 0

maximum: 4.294967295e+09

maxPendingRequests integer

The maximum number of pending requests that Envoy will queue to the referenced backend defined within a xRoute rule.

format: int64

minimum: 0

maximum: 4.294967295e+09

maxRequestsPerConnection integer

The maximum number of requests that Envoy will make over a single connection to the referenced backend defined within a xRoute rule. Default: unlimited.

format: int64

minimum: 0

maximum: 4.294967295e+09

perEndpoint object

PerEndpoint defines Circuit Breakers that will apply per-endpoint for an upstream cluster

maxConnections integer

MaxConnections configures the maximum number of connections that Envoy will establish per-endpoint to the referenced backend defined within a xRoute rule.

format: int64

minimum: 0

maximum: 4.294967295e+09

compression []object

The compression config for the http streams. Deprecated: Use Compressor instead.

brotli object

The configuration for Brotli compressor.

gzip object

The configuration for GZIP compressor.

type string required

CompressorType defines the compressor type to use for compression.

enum: Gzip, Brotli, Zstd

zstd object

The configuration for Zstd compressor.

compressor []object

The compressor config for the http streams. This provides more granular control over compression configuration.

brotli object

The configuration for Brotli compressor.

gzip object

The configuration for GZIP compressor.

type string required

CompressorType defines the compressor type to use for compression.

enum: Gzip, Brotli, Zstd

zstd object

The configuration for Zstd compressor.

connection object

Connection includes backend connection settings.

bufferLimit string | integer

BufferLimit Soft limit on size of the cluster’s connections read and write buffers. BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. If unspecified, an implementation defined default is applied (32768 bytes). For example, 20Mi, 1Gi, 256Ki etc. Note: that when the suffix is not provided, the value is interpreted as bytes.

preconnect object

Preconnect configures proactive upstream connections to reduce latency by establishing connections before they’re needed and avoiding connection establishment overhead. If unset, Envoy will fetch connections as needed to serve in-flight requests.

perEndpointPercent integer

PerEndpointPercent configures how many additional connections to maintain per upstream endpoint, useful for high-QPS or latency sensitive services. Expressed as a percentage of the connections required by active streams (e.g. 100 = preconnect disabled, 105 = 1.05x connections per-endpoint, 200 = 2.00×). Allowed value range is between 100-300. When both PerEndpointPercent and PredictivePercent are set, Envoy ensures both are satisfied (max of the two).

format: int32

minimum: 100

maximum: 300

predictivePercent integer

PredictivePercent configures how many additional connections to maintain across the cluster by anticipating which upstream endpoint the load balancer will select next, useful for low-QPS services. Relies on deterministic loadbalancing and is only supported with Random or RoundRobin. Expressed as a percentage of the connections required by active streams (e.g. 100 = 1.0 (no preconnect), 105 = 1.05× connections across the cluster, 200 = 2.00×). Minimum allowed value is 100. When both PerEndpointPercent and PredictivePercent are set Envoy ensures both are satisfied per host (max of the two).

format: int32

minimum: 100

socketBufferLimit string | integer

SocketBufferLimit provides configuration for the maximum buffer size in bytes for each socket to backend. SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes.

dns object

DNS includes dns resolution settings.

dnsRefreshRate string

DNSRefreshRate specifies the rate at which DNS records should be refreshed. Defaults to 30 seconds.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

lookupFamily string

LookupFamily determines how Envoy would resolve DNS for Routes where the backend is specified as a fully qualified domain name (FQDN). If set, this configuration overrides other defaults.

enum: IPv4, IPv6, IPv4Preferred, IPv6Preferred, IPv4AndIPv6

respectDnsTtl boolean

RespectDNSTTL indicates whether the DNS Time-To-Live (TTL) should be respected. If the value is set to true, the DNS refresh rate will be set to the resource record’s TTL. Defaults to true.

faultInjection object

FaultInjection defines the fault injection policy to be applied. This configuration can be used to inject delays and abort requests to mimic failure scenarios such as service failures and overloads

abort object

If specified, the request will be aborted if it meets the configuration criteria.

grpcStatus integer

GrpcStatus specifies the GRPC status code to be returned

format: int32

httpStatus integer

StatusCode specifies the HTTP status code to be returned

format: int32

minimum: 200

maximum: 600

percentage number

Percentage specifies the percentage of requests to be aborted. Default 100%, if set 0, no requests will be aborted. Accuracy to 0.0001%.

delay object

If specified, a delay will be injected into the request.

fixedDelay string required

FixedDelay specifies the fixed delay duration

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

percentage number

Percentage specifies the percentage of requests to be delayed. Default 100%, if set 0, no requests will be delayed. Accuracy to 0.0001%.

healthCheck object

HealthCheck allows gateway to perform active health checking on backends.

active object

Active health check configuration

grpc object

GRPC defines the configuration of the GRPC health checker. It's optional, and can only be used if the specified type is GRPC.

service string

Service to send in the health check request. If this is not specified, then the health check request applies to the entire server and not to a specific service.

healthyThreshold integer

HealthyThreshold defines the number of healthy health checks required before a backend host is marked healthy.

format: int32

minimum: 1

http object

HTTP defines the configuration of http health checker. It's required while the health checker type is HTTP.

expectedResponse object

ExpectedResponse defines a list of HTTP expected responses to match.

binary string

Binary payload base64 encoded.

format: byte

text string

Text payload in plain text.

type string required

Type defines the type of the payload.

expectedStatuses []integer

ExpectedStatuses defines a list of HTTP response statuses considered healthy. Defaults to 200 only

hostname string

Hostname defines the HTTP host that will be requested during health checking. Default: HTTPRoute or GRPCRoute hostname.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

method string

Method defines the HTTP method used for health checking. Defaults to GET

path string required

Path defines the HTTP path that will be requested during health checking.

minLength: 1

maxLength: 1024

initialJitter string

InitialJitter defines the maximum time Envoy will wait before the first health check. Envoy will randomly select a value between 0 and the initial jitter value.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

interval string

Interval defines the time between active health checks.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

tcp object

TCP defines the configuration of tcp health checker. It's required while the health checker type is TCP.

receive object

Receive defines the expected response payload.

binary string

Binary payload base64 encoded.

format: byte

text string

Text payload in plain text.

type string required

Type defines the type of the payload.

send object

Send defines the request payload.

binary string

Binary payload base64 encoded.

format: byte

text string

Text payload in plain text.

type string required

Type defines the type of the payload.

timeout string

Timeout defines the time to wait for a health check response.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

type string required

Type defines the type of health checker.

unhealthyThreshold integer

UnhealthyThreshold defines the number of unhealthy health checks required before a backend host is marked unhealthy.

format: int32

minimum: 1

panicThreshold integer

When number of unhealthy endpoints for a backend reaches this threshold Envoy will disregard health status and balance across all endpoints. It's designed to prevent a situation in which host failures cascade throughout the cluster as load increases. If not set, the default value is 50%. To disable panic mode, set value to `0`.

format: int32

minimum: 0

maximum: 100

passive object

Passive passive check configuration

baseEjectionTime string

BaseEjectionTime defines the base duration for which a host will be ejected on consecutive failures.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

consecutive5XxErrors integer

Consecutive5xxErrors sets the number of consecutive 5xx errors triggering ejection.

format: int32

consecutiveGatewayErrors integer

ConsecutiveGatewayErrors sets the number of consecutive gateway errors triggering ejection.

format: int32

consecutiveLocalOriginFailures integer

ConsecutiveLocalOriginFailures sets the number of consecutive local origin failures triggering ejection. Parameter takes effect only when split_external_local_origin_errors is set to true.

format: int32

failurePercentageThreshold integer

FailurePercentageThreshold sets the failure percentage threshold for outlier detection. If the failure percentage of a given host is greater than or equal to this value, it will be ejected. Defaults to 85.

format: int32

minimum: 0

maximum: 100

interval string

Interval defines the time between passive health checks.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

maxEjectionPercent integer

MaxEjectionPercent sets the maximum percentage of hosts in a cluster that can be ejected.

format: int32

splitExternalLocalOriginErrors boolean

SplitExternalLocalOriginErrors enables splitting of errors between external and local origin.

http2 object

HTTP2 provides HTTP/2 configuration for backend connections.

initialConnectionWindowSize string | integer

InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. If not set, the default value is 1 MiB.

initialStreamWindowSize string | integer

InitialStreamWindowSize sets the initial window size for HTTP/2 streams. If not set, the default value is 64 KiB(64*1024).

maxConcurrentStreams integer

MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. If not set, the default value is 100.

format: int32

minimum: 1

maximum: 2.147483647e+09

onInvalidMessage string

OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error It's recommended for L2 Envoy deployments to set this value to TerminateStream. https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two Default: TerminateConnection

httpUpgrade []object

HTTPUpgrade defines the configuration for HTTP protocol upgrades. If not specified, the default upgrade configuration(websocket) will be used.

connect object

Connect specifies the configuration for the CONNECT config. This is allowed only when type is CONNECT.

terminate boolean

Terminate the CONNECT request, and forwards the payload as raw TCP data.

type string required

Type is the case-insensitive type of protocol upgrade. e.g. `websocket`, `CONNECT`, `spdy/3.1` etc.

loadBalancer object

LoadBalancer policy to apply when routing traffic from the gateway to the backend endpoints. Defaults to `LeastRequest`.

consistentHash object

ConsistentHash defines the configuration when the load balancer type is set to ConsistentHash

cookie object

Cookie configures the cookie hash policy when the consistent hash type is set to Cookie.

attributes object

Additional Attributes to set for the generated cookie.

name string required

Name of the cookie to hash. If this cookie does not exist in the request, Envoy will generate a cookie and set the TTL on the response back to the client based on Layer 4 attributes of the backend endpoint, to ensure that these future requests go to the same backend endpoint. Make sure to set the TTL field for this case.

ttl string

TTL of the generated cookie if the cookie is not present. This value sets the Max-Age attribute value.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

header object

Header configures the header hash policy when the consistent hash type is set to Header. Deprecated: use Headers instead

name string required

Name of the header to hash.

headers []object

Headers configures the header hash policy for each header, when the consistent hash type is set to Headers.

name string required

Name of the header to hash.

tableSize integer

The table size for consistent hashing, must be prime number limited to 5000011.

format: int64

minimum: 2

maximum: 5.000011e+06

type string required

ConsistentHashType defines the type of input to hash on. Valid Type values are "SourceIP", "Header", "Headers", "Cookie".

enum: SourceIP, Header, Headers, Cookie

endpointOverride object

EndpointOverride defines the configuration for endpoint override. When specified, the load balancer will attempt to route requests to endpoints based on the override information extracted from request headers or metadata. If the override endpoints are not available, the configured load balancer policy will be used as fallback.

extractFrom []object required

ExtractFrom defines the sources to extract endpoint override information from.

minItems: 1

maxItems: 10

header string

Header defines the header to get the override endpoint addresses. The header value must specify at least one endpoint in `IP:Port` format or multiple endpoints in `IP:Port,IP:Port,...` format. For example `10.0.0.5:8080` or `[2600:4040:5204::1574:24ae]:80`. The IPv6 address is enclosed in square brackets.

slowStart object

SlowStart defines the configuration related to the slow start load balancer policy. If set, during slow start window, traffic sent to the newly added hosts will gradually increase. Currently this is only supported for RoundRobin and LeastRequest load balancers

window string required

Window defines the duration of the warm up period for newly added host. During slow start window, traffic sent to the newly added hosts will gradually increase. Currently only supports linear growth of traffic. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-slowstartconfig

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

type string required

Type decides the type of Load Balancer policy. Valid LoadBalancerType values are "ConsistentHash", "LeastRequest", "Random", "RoundRobin".

enum: ConsistentHash, LeastRequest, Random, RoundRobin

zoneAware object

ZoneAware defines the configuration related to the distribution of requests between locality zones.

preferLocal object

PreferLocalZone configures zone-aware routing to prefer sending traffic to the local locality zone.

force object

ForceLocalZone defines override configuration for forcing all traffic to stay within the local zone instead of the default behavior which maintains equal distribution among upstream endpoints while sending as much traffic as possible locally.

minEndpointsInZoneThreshold integer

MinEndpointsInZoneThreshold is the minimum number of upstream endpoints in the local zone required to honor the forceLocalZone override. This is useful for protecting zones with fewer endpoints.

format: int32

minEndpointsThreshold integer

MinEndpointsThreshold is the minimum number of total upstream endpoints across all zones required to enable zone-aware routing.

format: int64

percentageEnabled integer

Configures percentage of requests that will be considered for zone aware routing if zone aware routing is configured. If not specified, Envoy defaults to 100%.

format: int32

minimum: 0

maximum: 100

mergeType string

MergeType determines how this configuration is merged with existing BackendTrafficPolicy configurations targeting a parent resource. When set, this configuration will be merged into a parent BackendTrafficPolicy (i.e. the one targeting a Gateway or Listener). This field cannot be set when targeting a parent resource (Gateway). If unset, no merging occurs, and only the most specific configuration takes effect.

proxyProtocol object

ProxyProtocol enables the Proxy Protocol when communicating with the backend.

version string required

Version of ProxyProtol Valid ProxyProtocolVersion values are "V1" "V2"

enum: V1, V2

rateLimit object

RateLimit allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.

global object

Global defines global rate limit configuration.

rules []object required

Rules are a list of RateLimit selectors and limits. Each rule and its associated limit is applied in a mutually exclusive way. If a request matches multiple rules, each of their associated limits get applied, so a single request might increase the rate limit counters for multiple rules if selected. The rate limit service will return a logical OR of the individual rate limit decisions of all matching rules. For example, if a request matches two rules, one rate limited and one not, the final decision will be to rate limit the request.

maxItems: 128

clientSelectors []object

ClientSelectors holds the list of select conditions to select specific clients using attributes from the traffic flow. All individual select conditions must hold True for this rule and its limit to be applied. If no client selectors are specified, the rule applies to all traffic of the targeted Route. If the policy targets a Gateway, the rule applies to each Route of the Gateway. Please note that each Route has its own rate limit counters. For example, if a Gateway has two Routes, and the policy has a rule with limit 10rps, each Route will have its own 10rps limit.

maxItems: 8

headers []object

Headers is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers.

maxItems: 16

invert boolean

Invert specifies whether the value match result will be inverted. Do not set this field when Type="Distinct", implying matching on any/all unique values within the header.

name string required

Name of the HTTP header. The header name is case-insensitive unless PreserveHeaderCase is set to true. For example, "Foo" and "foo" are considered the same header.

minLength: 1

maxLength: 256

type string

Type specifies how to match against the value of the header.

enum: Exact, RegularExpression, Distinct

value string

Value within the HTTP header. Do not set this field when Type="Distinct", implying matching on any/all unique values within the header.

maxLength: 1024

methods []object

Methods is a list of request methods to match. Multiple method values are ORed together, meaning, a request can match any one of the specified methods. If not specified, it matches all methods.

invert boolean

Invert specifies whether the value match result will be inverted.

value string required

Value specifies the HTTP method.

enum: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH

path object

Path is the request path to match. Support Exact, PathPrefix and RegularExpression match types.

invert boolean

Invert specifies whether the value match result will be inverted.

type string

Type specifies how to match against the value of the path.

enum: Exact, PathPrefix, RegularExpression

value string required

Value specifies the HTTP path.

maxLength: 1024

sourceCIDR object

SourceCIDR is the client IP Address range to match on.

type string

enum: Exact, Distinct

value string required

Value is the IP CIDR that represents the range of Source IP Addresses of the client. These could also be the intermediate addresses through which the request has flown through and is part of the `X-Forwarded-For` header. For example, `192.168.0.1/32`, `192.168.0.0/24`, `001:db8::/64`.

minLength: 1

maxLength: 256

cost object

Cost specifies the cost of requests and responses for the rule. This is optional and if not specified, the default behavior is to reduce the rate limit counters by 1 on the request path and do not reduce the rate limit counters on the response path.

request object

Request specifies the number to reduce the rate limit counters on the request path. If this is not specified, the default behavior is to reduce the rate limit counters by 1. When Envoy receives a request that matches the rule, it tries to reduce the rate limit counters by the specified number. If the counter doesn't have enough capacity, the request is rate limited.

from string required

From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported.

enum: Number, Metadata

metadata object

Metadata specifies the per-request metadata to retrieve the usage number from.

key string required

Key is the key to retrieve the usage number from the filter metadata.

namespace string required

Namespace is the namespace of the dynamic metadata.

number integer

Number specifies the fixed usage number to reduce the rate limit counters. Using zero can be used to only check the rate limit counters without reducing them.

format: int64

response object

Response specifies the number to reduce the rate limit counters after the response is sent back to the client or the request stream is closed. The cost is used to reduce the rate limit counters for the matching requests. Since the reduction happens after the request stream is complete, the rate limit won't be enforced for the current request, but for the subsequent matching requests. This is optional and if not specified, the rate limit counters are not reduced on the response path. Currently, this is only supported for HTTP Global Rate Limits.

from string required

From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported.

enum: Number, Metadata

metadata object

Metadata specifies the per-request metadata to retrieve the usage number from.

key string required

Key is the key to retrieve the usage number from the filter metadata.

namespace string required

Namespace is the namespace of the dynamic metadata.

number integer

Number specifies the fixed usage number to reduce the rate limit counters. Using zero can be used to only check the rate limit counters without reducing them.

format: int64

limit object required

Limit holds the rate limit values. This limit is applied for traffic flows when the selectors compute to True, causing the request to be counted towards the limit. The limit is enforced and the request is ratelimited, i.e. a response with 429 HTTP status code is sent back to the client when the selected requests have reached the limit.

requests integer required

unit string required

RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year".

enum: Second, Minute, Hour, Day, Month, Year

shared boolean

Shared determines whether this rate limit rule applies across all the policy targets. If set to true, the rule is treated as a common bucket and is shared across all policy targets (xRoutes). Default: false.

local object

Local defines local rate limit configuration.

rules []object

Rules are a list of RateLimit selectors and limits. If a request matches multiple rules, the strictest limit is applied. For example, if a request matches two rules, one with 10rps and one with 20rps, the final limit will be based on the rule with 10rps.

maxItems: 16

clientSelectors []object

maxItems: 8

headers []object

Headers is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers.

maxItems: 16

invert boolean

Invert specifies whether the value match result will be inverted. Do not set this field when Type="Distinct", implying matching on any/all unique values within the header.

name string required

Name of the HTTP header. The header name is case-insensitive unless PreserveHeaderCase is set to true. For example, "Foo" and "foo" are considered the same header.

minLength: 1

maxLength: 256

type string

Type specifies how to match against the value of the header.

enum: Exact, RegularExpression, Distinct

value string

Value within the HTTP header. Do not set this field when Type="Distinct", implying matching on any/all unique values within the header.

maxLength: 1024

methods []object

Methods is a list of request methods to match. Multiple method values are ORed together, meaning, a request can match any one of the specified methods. If not specified, it matches all methods.

invert boolean

Invert specifies whether the value match result will be inverted.

value string required

Value specifies the HTTP method.

enum: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH

path object

Path is the request path to match. Support Exact, PathPrefix and RegularExpression match types.

invert boolean

Invert specifies whether the value match result will be inverted.

type string

Type specifies how to match against the value of the path.

enum: Exact, PathPrefix, RegularExpression

value string required

Value specifies the HTTP path.

maxLength: 1024

sourceCIDR object

SourceCIDR is the client IP Address range to match on.

type string

enum: Exact, Distinct

value string required

minLength: 1

maxLength: 256

cost object

request object

from string required

From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported.

enum: Number, Metadata

metadata object

Metadata specifies the per-request metadata to retrieve the usage number from.

key string required

Key is the key to retrieve the usage number from the filter metadata.

namespace string required

Namespace is the namespace of the dynamic metadata.

number integer

Number specifies the fixed usage number to reduce the rate limit counters. Using zero can be used to only check the rate limit counters without reducing them.

format: int64

response object

from string required

From specifies where to get the rate limit cost. Currently, only "Number" and "Metadata" are supported.

enum: Number, Metadata

metadata object

Metadata specifies the per-request metadata to retrieve the usage number from.

key string required

Key is the key to retrieve the usage number from the filter metadata.

namespace string required

Namespace is the namespace of the dynamic metadata.

number integer

Number specifies the fixed usage number to reduce the rate limit counters. Using zero can be used to only check the rate limit counters without reducing them.

format: int64

limit object required

requests integer required

unit string required

RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are "Second", "Minute", "Hour", "Day", "Month" and "Year".

enum: Second, Minute, Hour, Day, Month, Year

shared boolean

type string

Type decides the scope for the RateLimits. Valid RateLimitType values are "Global" or "Local". Deprecated: Use Global and/or Local fields directly instead. Both can be specified simultaneously for combined rate limiting.

enum: Global, Local

requestBuffer object

RequestBuffer allows the gateway to buffer and fully receive each request from a client before continuing to send the request upstream to the backends. This can be helpful to shield your backend servers from slow clients, and also to enforce a maximum size per request as any requests larger than the buffer size will be rejected. This can have a negative performance impact so should only be enabled when necessary. When enabling this option, you should also configure your connection buffer size to account for these request buffers. There will also be an increase in memory usage for Envoy that should be accounted for in your deployment settings.

limit string | integer

Limit specifies the maximum allowed size in bytes for each incoming request buffer. If exceeded, the request will be rejected with HTTP 413 Content Too Large. Accepts values in resource.Quantity format (e.g., "10Mi", "500Ki").

responseOverride []object

ResponseOverride defines the configuration to override specific responses with a custom one. If multiple configurations are specified, the first one to match wins.

match object required

Match configuration.

statusCodes []object required

Status code to match on. The match evaluates to true if any of the matches are successful.

minItems: 1

maxItems: 50

range object

Range contains the range of status codes.

end integer required

End of the range, including the end value.

start integer required

Start of the range, including the start value.

type string required

Type is the type of value. Valid values are Value and Range, default is Value.

value integer

Value contains the value of the status code.

redirect object

Redirect configuration

hostname string

Hostname is the hostname to be used in the value of the `Location` header in the response. When empty, the hostname in the `Host` header of the request is used.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

path object

Path defines parameters used to modify the path of the incoming request. The modified path is then used to construct the `Location` header. When empty, the request path is used as-is. Only ReplaceFullPath path modifier is supported currently.

replaceFullPath string

ReplaceFullPath specifies the value with which to replace the full path of a request during a rewrite or redirect.

maxLength: 1024

replacePrefixMatch string

ReplacePrefixMatch specifies the value with which to replace the prefix match of a request during a rewrite or redirect. For example, a request to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch of "/xyz" would be modified to "/xyz/bar". Note that this matches the behavior of the PathPrefix match type. This matches full path elements. A path element refers to the list of labels in the path split by the `/` separator. When specified, a trailing `/` is ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all match the prefix `/abc`, but the path `/abcd` would not. ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in the implementation setting the Accepted Condition for the Route to `status: False`. Request Path | Prefix Match | Replace Prefix | Modified Path

maxLength: 1024

type string required

Type defines the type of path modifier. Additional types may be added in a future release of the API. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`.

enum: ReplaceFullPath, ReplacePrefixMatch

port integer

Port is the port to be used in the value of the `Location` header in the response. If redirect scheme is not-empty, the well-known port associated with the redirect scheme will be used. Specifically "http" to port 80 and "https" to port 443. If the redirect scheme does not have a well-known port or redirect scheme is empty, the listener port of the Gateway will be used. Port will not be added in the 'Location' header if scheme is HTTP and port is 80 or scheme is HTTPS and port is 443.

format: int32

scheme string

Scheme is the scheme to be used in the value of the `Location` header in the response. When empty, the scheme of the request is used.

enum: http, https

statusCode integer

StatusCode is the HTTP status code to be used in response.

enum: 301, 302

response object

Response configuration.

body object

Body of the Custom Response Supports Envoy command operators for dynamic content (see https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators).

inline string

Inline contains the value as an inline string.

type string required

Type is the type of method to use to read the body value. Valid values are Inline and ValueRef, default is Inline.

valueRef object

ValueRef contains the contents of the body specified as a local object reference. Only a reference to ConfigMap is supported. The value of key `response.body` in the ConfigMap will be used as the response body. If the key is not found, the first value in the ConfigMap will be used.

group string required

Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is kind of the referent. For example "HTTPRoute" or "Service".

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent.

minLength: 1

maxLength: 253

contentType string

Content Type of the response. This will be set in the Content-Type header.

header object

Header defines headers to add, set or remove from the response. This allows the response policy to append, add or override headers of the final response before it is sent to a downstream client. Note: Header removal is not supported for responseOverride.

add []object

Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. Input: GET /foo HTTP/1.1 my-header: foo Config: add: - name: "my-header" value: "bar,baz" Output: GET /foo HTTP/1.1 my-header: foo,bar,baz

maxItems: 16

name string required

Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.

pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

minLength: 1

maxLength: 256

value string required

Value is the value of HTTP Header to be matched.

minLength: 1

maxLength: 4096

remove []string

Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz Config: remove: ["my-header1", "my-header3"] Output: GET /foo HTTP/1.1 my-header2: bar

maxItems: 16

set []object

Set overwrites the request with the given header (name, value) before the action. Input: GET /foo HTTP/1.1 my-header: foo Config: set: - name: "my-header" value: "bar" Output: GET /foo HTTP/1.1 my-header: bar

maxItems: 16

name string required

pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

minLength: 1

maxLength: 256

value string required

Value is the value of HTTP Header to be matched.

minLength: 1

maxLength: 4096

statusCode integer

Status Code of the Custom Response If unset, does not override the status of response.

retry object

Retry provides more advanced usage, allowing users to customize the number of retries, retry fallback strategy, and retry triggering conditions. If not set, retry will be disabled.

numAttemptsPerPriority integer

NumAttemptsPerPriority defines the number of requests (initial attempt + retries) that should be sent to the same priority before switching to a different one. If not specified or set to 0, all requests are sent to the highest priority that is healthy.

format: int32

numRetries integer

NumRetries is the number of retries to be attempted. Defaults to 2.

format: int32

minimum: 0

perRetry object

PerRetry is the retry policy to be applied per retry attempt.

backOff object

Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential back-off algorithm for retries. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries

baseInterval string

BaseInterval is the base interval between retries.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

maxInterval string

MaxInterval is the maximum interval between retries. This parameter is optional, but must be greater than or equal to the base_interval if set. The default is 10 times the base_interval

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

timeout string

Timeout is the timeout per retry attempt.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

retryOn object

RetryOn specifies the retry trigger condition. If not specified, the default is to retry on connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).

httpStatusCodes []integer

HttpStatusCodes specifies the http status codes to be retried. The retriable-status-codes trigger must also be configured for these status codes to trigger a retry.

triggers []string

Triggers specifies the retry trigger condition(Http/Grpc).

targetRef object

TargetRef is the name of the resource this policy is being attached to. This policy and the TargetRef MUST be in the same namespace for this Policy to have effect Deprecated: use targetRefs/targetSelectors instead

group string required

Group is the group of the target resource.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is kind of the target resource.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the target resource.

minLength: 1

maxLength: 253

sectionName string

SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

targetRefs []object

TargetRefs are the names of the Gateway resources this policy is being attached to.

group string required

Group is the group of the target resource.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is kind of the target resource.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the target resource.

minLength: 1

maxLength: 253

sectionName string

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

targetSelectors []object

TargetSelectors allow targeting resources for this policy based on labels

group string

Group is the group that this selector targets. Defaults to gateway.networking.k8s.io

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is the resource kind that this selector targets.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

matchExpressions []object

MatchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

MatchLabels are the set of label selectors for identifying the targeted resource

tcpKeepalive object

TcpKeepalive settings associated with the upstream client connection. Disabled by default.

idleTime string

The duration a connection needs to be idle before keep-alive probes start being sent. The duration format is Defaults to `7200s`.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

interval string

The duration between keep-alive probes. Defaults to `75s`.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

probes integer

The total number of unacknowledged probes to send before deciding the connection is dead. Defaults to 9.

format: int32

telemetry object

Telemetry configures the telemetry settings for the policy target (Gateway or xRoute). This will override the telemetry settings in the EnvoyProxy resource.

tracing object

Tracing configures the tracing settings for the backend or HTTPRoute.

customTags object

CustomTags defines the custom tags to add to each span. If provider is kubernetes, pod name and namespace are added by default.

samplingFraction object

SamplingFraction represents the fraction of requests that should be selected for tracing if no prior sampling decision has been made. This will take precedence over sampling fraction on EnvoyProxy if set.

denominator integer

format: int32

minimum: 1

numerator integer required

format: int32

minimum: 0

timeout object

Timeout settings for the backend connections.

http object

Timeout settings for HTTP.

connectionIdleTimeout string

The idle timeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. Default: 1 hour.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

maxConnectionDuration string

The maximum duration of an HTTP connection. Default: unlimited.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

maxStreamDuration string

MaxStreamDuration is the maximum duration for a stream to complete. This timeout measures the time from when the request is sent until the response stream is fully consumed and does not apply to non-streaming requests. When set to "0s", no max duration is applied and streams can run indefinitely.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

requestTimeout string

RequestTimeout is the time until which entire response is received from the upstream.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

tcp object

Timeout settings for TCP.

connectTimeout string

The timeout for network connection establishment, including TCP and TLS handshakes. Default: 10 seconds.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

useClientProtocol boolean

UseClientProtocol configures Envoy to prefer sending requests to backends using the same HTTP protocol that the incoming request used. Defaults to false, which means that Envoy will use the protocol indicated by the attached BackendRef.

status object

status defines the current status of BackendTrafficPolicy.

ancestors []object required

Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy.

maxItems: 16

ancestorRef object required

AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of.

group string

Group is the group of the referent. When unspecified, "gateway.networking.k8s.io" is inferred. To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). Support: Core

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string

Kind is kind of the referent. There are two kinds of parent resources with "Core" support: * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent. Support: Core

minLength: 1

maxLength: 253

namespace string

Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. <gateway:experimental:description> ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. </gateway:experimental:description> Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

minLength: 1

maxLength: 63

port integer

Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. <gateway:experimental:description> When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. </gateway:experimental:description> Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended

format: int32

minimum: 1

maximum: 65535

sectionName string

SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

conditions []object required

Conditions describes the status of the Policy with respect to the given Ancestor. <gateway:util:excludeFromCRD> Notes for implementors: Conditions are a listType `map`, which means that they function like a map with a key of the `type` field _in the k8s apiserver_. This means that implementations must obey some rules when updating this section. * Implementations MUST perform a read-modify-write cycle on this field before modifying it. That is, when modifying this field, implementations must be confident they have fetched the most recent version of this field, and ensure that changes they make are on that recent version. * Implementations MUST NOT remove or reorder Conditions that they are not directly responsible for. For example, if an implementation sees a Condition with type `special.io/SomeField`, it MUST NOT remove, change or update that Condition. * Implementations MUST always _merge_ changes into Conditions of the same Type, rather than creating more than one Condition of the same Type. * Implementations MUST always update the `observedGeneration` field of the Condition to the `metadata.generation` of the Gateway at the time of update creation. * If the `observedGeneration` of a Condition is _greater than_ the value the implementation knows about, then it MUST NOT perform the update on that Condition, but must wait for a future reconciliation and status update. (The assumption is that the implementation's copy of the object is stale and an update will be re-triggered if relevant.) </gateway:util:excludeFromCRD>

minItems: 1

maxItems: 8

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

controllerName string required

ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: "example.net/gateway-controller". The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$

minLength: 1

maxLength: 253

No matches. Try .spec.circuitBreaker for an exact path