ClientTrafficPolicy

gateway.envoyproxy.io / v1alpha1

apiVersion: gateway.envoyproxy.io/v1alpha1 kind: ClientTrafficPolicy metadata: name: example

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object

spec object required

Spec defines the desired state of ClientTrafficPolicy.

clientIPDetection object

ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.

customHeader object

CustomHeader provides configuration for determining the client IP address for a request based on a trusted custom HTTP header. This uses the custom_header original IP detection extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto for more details.

failClosed boolean

FailClosed is a switch used to control the flow of traffic when client IP detection fails. If set to true, the listener will respond with 403 Forbidden when the client IP address cannot be determined.

name string required

Name of the header containing the original downstream remote address, if present.

pattern: ^[A-Za-z0-9-]+$

minLength: 1

maxLength: 255

xForwardedFor object

XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.

numTrustedHops integer

NumTrustedHops specifies how many trusted hops to count from the rightmost side of the X-Forwarded-For (XFF) header when determining the original client’s IP address. If NumTrustedHops is set to N, the client IP is taken from the Nth address from the right end of the XFF header. Example: XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1" NumTrustedHops = 2 → Trusted client address = 203.0.113.10 Only one of NumTrustedHops or TrustedCIDRs should be configured.

format: int32

trustedCIDRs []string

TrustedCIDRs is a list of CIDR ranges to trust when evaluating the remote IP address to determine the original client’s IP address. When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent, each entry in the x-forwarded-for header is evaluated from right to left and the first public non-trusted address is used as the original client address. If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used. Only one of NumTrustedHops and TrustedCIDRs must be set.

minItems: 1

connection object

Connection includes client connection settings.

bufferLimit string | integer

BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection. BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. Default: 32768 bytes.

connectionLimit object

ConnectionLimit defines limits related to connections

closeDelay string

CloseDelay defines the delay to use before closing connections that are rejected once the limit value is reached. Default: none.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

maxConnectionDuration string

MaxConnectionDuration is the maximum amount of time a connection can remain established (usually via TCP/HTTP Keepalive packets) before being drained and/or closed. If not specified, there is no limit.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

maxRequestsPerConnection integer

MaxRequestsPerConnection defines the maximum number of requests allowed over a single connection. If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive.

format: int32

maxStreamDuration string

MaxStreamDuration is the maximum amount of time to keep alive an http stream. When the limit is reached the stream will be reset independent of any other timeouts. If not specified, no value is set.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

value integer required

Value of the maximum concurrent connections limit. When the limit is reached, incoming connections will be closed after the CloseDelay duration.

format: int64

minimum: 1

maxAcceptPerSocketEvent integer

MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over this threshold will be accepted in later event loop iterations. Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.

format: int32

socketBufferLimit string | integer

SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket. SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes.

enableProxyProtocol boolean

EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. Deprecated: Use ProxyProtocol instead.

headers object

HeaderSettings provides configuration for header management.

disableRateLimitHeaders boolean

DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers when rate limiting is enabled.

earlyRequestHeaders object

EarlyRequestHeaders defines settings for early request header modification, before envoy performs routing, tracing and built-in header manipulation.

add []object

Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. Input: GET /foo HTTP/1.1 my-header: foo Config: add: - name: "my-header" value: "bar,baz" Output: GET /foo HTTP/1.1 my-header: foo,bar,baz

maxItems: 64

name string required

Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.

pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

minLength: 1

maxLength: 256

value string required

Value is the value of HTTP Header to be matched.

minLength: 1

maxLength: 4096

remove []string

Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz Config: remove: ["my-header1", "my-header3"] Output: GET /foo HTTP/1.1 my-header2: bar

maxItems: 64

set []object

Set overwrites the request with the given header (name, value) before the action. Input: GET /foo HTTP/1.1 my-header: foo Config: set: - name: "my-header" value: "bar" Output: GET /foo HTTP/1.1 my-header: bar

maxItems: 64

name string required

pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

minLength: 1

maxLength: 256

value string required

Value is the value of HTTP Header to be matched.

minLength: 1

maxLength: 4096

enableEnvoyHeaders boolean

EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests and responses.

lateResponseHeaders object

LateResponseHeaders defines settings for global response header modification.

add []object

maxItems: 64

name string required

pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

minLength: 1

maxLength: 256

value string required

Value is the value of HTTP Header to be matched.

minLength: 1

maxLength: 4096

remove []string

maxItems: 64

set []object

maxItems: 64

name string required

pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$

minLength: 1

maxLength: 256

value string required

Value is the value of HTTP Header to be matched.

minLength: 1

maxLength: 4096

preserveXRequestID boolean

PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour. Defaults to false and cannot be combined with RequestID. Deprecated: use RequestID=PreserveOrGenerate instead

requestID string

RequestID configures Envoy's behavior for handling the `X-Request-ID` header. When omitted default behavior is `Generate` which builds the `X-Request-ID` for every request and ignores pre-existing values from the edge. (An "edge request" refers to a request from an external client to the Envoy entrypoint.)

enum: PreserveOrGenerate, Preserve, Generate, Disable

withUnderscoresAction string

WithUnderscoresAction configures the action to take when an HTTP header with underscores is encountered. The default action is to reject the request.

enum: Allow, RejectRequest, DropHeader

xForwardedClientCert object

XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header. x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate information of part or all of the clients or proxies that a request has flowed through, on its way from the client to the server. Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request. If not set, the default behavior is sanitizing the XFCC header.

certDetailsToAdd []string

CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header. Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name) are always included if the client certificate is forwarded. This field is only applicable when the mode is set to `AppendForward` or `SanitizeSet` and the client connection is mTLS.

maxItems: 5

mode string

Mode defines how XFCC header is handled by Envoy Proxy. If not set, the default mode is `Sanitize`.

enum: Sanitize, ForwardOnly, AppendForward, SanitizeSet, AlwaysForwardOnly

healthCheck object

HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy.

path string required

Path specifies the HTTP path to match on for health check requests.

minLength: 1

maxLength: 1024

http1 object

HTTP1 provides HTTP/1 configuration on the listener.

disableSafeMaxConnectionDuration boolean

DisableSafeMaxConnectionDuration controls the close behavior for HTTP/1 connections. By default, connection closure is delayed until the next request arrives after maxConnectionDuration is exceeded. It then adds a Connection: close header and gracefully closes the connection after the response completes. When set to true (disabled), Envoy uses its default drain behavior, closing the connection shortly after maxConnectionDuration elapses. Has no effect unless maxConnectionDuration is set.

enableTrailers boolean

EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy.

http10 object

HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests.

useDefaultHost boolean

UseDefaultHost specifies whether a default Host header should be injected into HTTP/1.0 requests that do not include one. When set to true, Envoy Gateway injects the hostname associated with the listener or route into the request, in the following order: 1. If the targeted listener has a non-wildcard hostname, use that hostname. 2. If there is exactly one HTTPRoute with a non-wildcard hostname under the targeted listener, use that hostname. Note: Setting this field to true without a non-wildcard hostname makes the ClientTrafficPolicy invalid.

preserveHeaderCase boolean

PreserveHeaderCase defines if Envoy should preserve the letter case of headers. By default, Envoy will lowercase all the headers.

http2 object

HTTP2 provides HTTP/2 configuration on the listener.

initialConnectionWindowSize string | integer

InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. If not set, the default value is 1 MiB.

initialStreamWindowSize string | integer

InitialStreamWindowSize sets the initial window size for HTTP/2 streams. If not set, the default value is 64 KiB(64*1024).

maxConcurrentStreams integer

MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. If not set, the default value is 100.

format: int32

minimum: 1

maximum: 2.147483647e+09

onInvalidMessage string

OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error It's recommended for L2 Envoy deployments to set this value to TerminateStream. https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two Default: TerminateConnection

http3 object

HTTP3 provides HTTP/3 configuration on the listener.

path object

Path enables managing how the incoming path set by clients can be normalized.

disableMergeSlashes boolean

DisableMergeSlashes allows disabling the default configuration of merging adjacent slashes in the path. Note that slash merging is not part of the HTTP spec and is provided for convenience.

escapedSlashesAction string

EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI should be handled. The default is UnescapeAndRedirect.

enum: KeepUnchanged, RejectRequest, UnescapeAndForward, UnescapeAndRedirect

proxyProtocol object

ProxyProtocol configures the Proxy Protocol settings. When configured, the Proxy Protocol header will be interpreted and the Client Address will be added into the X-Forwarded-For header. If both EnableProxyProtocol and ProxyProtocol are set, ProxyProtocol takes precedence.

optional boolean

Optional allows requests without a Proxy Protocol header to be proxied. If set to true, the listener will accept requests without a Proxy Protocol header. If set to false, the listener will reject requests without a Proxy Protocol header. If not set, the default behavior is to reject requests without a Proxy Protocol header. Warning: Optional breaks conformance with the specification. Only enable if ALL traffic to the listener comes from a trusted source. For more information on security implications, see haproxy.org/download/2.1/doc/proxy-protocol.txt

targetRef object

TargetRef is the name of the resource this policy is being attached to. This policy and the TargetRef MUST be in the same namespace for this Policy to have effect Deprecated: use targetRefs/targetSelectors instead

group string required

Group is the group of the target resource.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is kind of the target resource.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the target resource.

minLength: 1

maxLength: 253

sectionName string

SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

targetRefs []object

TargetRefs are the names of the Gateway resources this policy is being attached to.

group string required

Group is the group of the target resource.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is kind of the target resource.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the target resource.

minLength: 1

maxLength: 253

sectionName string

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

targetSelectors []object

TargetSelectors allow targeting resources for this policy based on labels

group string

Group is the group that this selector targets. Defaults to gateway.networking.k8s.io

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string required

Kind is the resource kind that this selector targets.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

matchExpressions []object

MatchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

MatchLabels are the set of label selectors for identifying the targeted resource

tcpKeepalive object

TcpKeepalive settings associated with the downstream client connection. If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives. Disabled by default.

idleTime string

The duration a connection needs to be idle before keep-alive probes start being sent. The duration format is Defaults to `7200s`.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

interval string

The duration between keep-alive probes. Defaults to `75s`.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

probes integer

The total number of unacknowledged probes to send before deciding the connection is dead. Defaults to 9.

format: int32

timeout object

Timeout settings for the client connections.

http object

Timeout settings for HTTP.

idleTimeout string

IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. Default: 1 hour.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

requestReceivedTimeout string

RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request initiation and stops when either the last byte of the request is sent upstream or when the response begins.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

streamIdleTimeout string

The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. Default: 5 minutes.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

tcp object

Timeout settings for TCP.

idleTimeout string

IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no bytes sent or received on either the upstream or downstream connection. Default: 1 hour.

pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$

tls object

TLS settings configure TLS termination settings with the downstream client.

alpnProtocols []string

ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener or used by the proxy to connect to the backend. Defaults: 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context. 2. Other Routes: ALPN is disabled. 3. Backends: proxy uses the appropriate ALPN options for the backend protocol. When an empty list is provided, the ALPN TLS extension is disabled. Defaults to [h2, http/1.1] if not specified. Typical Supported values are: - http/1.0 - http/1.1 - h2

ciphers []string

Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 In builds using BoringSSL FIPS the default cipher list is: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384

clientValidation object

ClientValidation specifies the configuration to validate the client initiating the TLS connection to the Gateway listener.

caCertificateRefs []object

CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. A single reference to a Kubernetes ConfigMap or a Kubernetes Secret, with the CA certificate in a key named `ca.crt` is currently supported. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached.

maxItems: 8

group string

Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string

Kind is kind of the referent. For example "Secret".

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent.

minLength: 1

maxLength: 253

namespace string

Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

minLength: 1

maxLength: 63

certificateHashes []string

An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.

crl object

Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection

onlyVerifyLeafCertificate boolean

If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. Defaults to false, which will verify the entire certificate chain against the CRL.

refs []object required

Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, containing the certificate revocation list in PEM format Expects the content in a key named `ca.crl`. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the crl to be attached.

minItems: 1

maxItems: 8

group string

Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string

Kind is kind of the referent. For example "Secret".

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent.

minLength: 1

maxLength: 253

namespace string

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

minLength: 1

maxLength: 63

optional boolean

Optional set to true accepts connections even when a client doesn't present a certificate. Defaults to false, which rejects connections without a valid client certificate.

spkiHashes []string

An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.

subjectAltNames object

An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers

dnsNames []object

DNS names matchers

type string

Type specifies how to match against a string.

enum: Exact, Prefix, Suffix, RegularExpression

value string required

Value specifies the string value that the match must have.

minLength: 1

maxLength: 1024

emailAddresses []object

Email addresses matchers

type string

Type specifies how to match against a string.

enum: Exact, Prefix, Suffix, RegularExpression

value string required

Value specifies the string value that the match must have.

minLength: 1

maxLength: 1024

ipAddresses []object

IP addresses matchers

type string

Type specifies how to match against a string.

enum: Exact, Prefix, Suffix, RegularExpression

value string required

Value specifies the string value that the match must have.

minLength: 1

maxLength: 1024

otherNames []object

Other names matchers

oid string required

OID Value

type string

Type specifies how to match against a string.

enum: Exact, Prefix, Suffix, RegularExpression

value string required

Value specifies the string value that the match must have.

minLength: 1

maxLength: 1024

uris []object

URIs matchers

type string

Type specifies how to match against a string.

enum: Exact, Prefix, Suffix, RegularExpression

value string required

Value specifies the string value that the match must have.

minLength: 1

maxLength: 1024

ecdhCurves []string

ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256 In builds using BoringSSL FIPS the default curve is: - P-256

maxVersion string

Max specifies the maximal TLS protocol version to allow The default is TLS 1.3 if this is not specified.

enum: Auto, 1.0, 1.1, 1.2, 1.3

minVersion string

Min specifies the minimal TLS protocol version to allow. The default is TLS 1.2 if this is not specified.

enum: Auto, 1.0, 1.1, 1.2, 1.3

session object

Session defines settings related to TLS session management.

resumption object

Resumption determines the proxy's supported TLS session resumption option. By default, Envoy Gateway does not enable session resumption. Use sessionResumption to enable stateful and stateless session resumption. Users should consider security impacts of different resumption methods. Performance gains from resumption are diminished when Envoy proxy is deployed with more than one replica.

stateful object

Stateful defines setting for stateful (session-id based) session resumption

stateless object

Stateless defines setting for stateless (session-ticket based) session resumption

signatureAlgorithms []string

SignatureAlgorithms specifies which signature algorithms the listener should support.

status object

Status defines the current status of ClientTrafficPolicy.

ancestors []object required

Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy.

maxItems: 16

ancestorRef object required

AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of.

group string

Group is the group of the referent. When unspecified, "gateway.networking.k8s.io" is inferred. To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). Support: Core

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string

Kind is kind of the referent. There are two kinds of parent resources with "Core" support: * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent. Support: Core

minLength: 1

maxLength: 253

namespace string

Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. <gateway:experimental:description> ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. </gateway:experimental:description> Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

minLength: 1

maxLength: 63

port integer

Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. <gateway:experimental:description> When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. </gateway:experimental:description> Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended

format: int32

minimum: 1

maximum: 65535

sectionName string

SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

conditions []object required

Conditions describes the status of the Policy with respect to the given Ancestor. <gateway:util:excludeFromCRD> Notes for implementors: Conditions are a listType `map`, which means that they function like a map with a key of the `type` field _in the k8s apiserver_. This means that implementations must obey some rules when updating this section. * Implementations MUST perform a read-modify-write cycle on this field before modifying it. That is, when modifying this field, implementations must be confident they have fetched the most recent version of this field, and ensure that changes they make are on that recent version. * Implementations MUST NOT remove or reorder Conditions that they are not directly responsible for. For example, if an implementation sees a Condition with type `special.io/SomeField`, it MUST NOT remove, change or update that Condition. * Implementations MUST always _merge_ changes into Conditions of the same Type, rather than creating more than one Condition of the same Type. * Implementations MUST always update the `observedGeneration` field of the Condition to the `metadata.generation` of the Gateway at the time of update creation. * If the `observedGeneration` of a Condition is _greater than_ the value the implementation knows about, then it MUST NOT perform the update on that Condition, but must wait for a future reconciliation and status update. (The assumption is that the implementation's copy of the object is stale and an update will be re-triggered if relevant.) </gateway:util:excludeFromCRD>

minItems: 1

maxItems: 8

lastTransitionTime string required

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

format: date-time

message string required

message is a human readable message indicating details about the transition. This may be an empty string.

maxLength: 32768

observedGeneration integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

format: int64

minimum: 0

reason string required

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$

minLength: 1

maxLength: 1024

status string required

status of the condition, one of True, False, Unknown.

enum: True, False, Unknown

type string required

type of condition in CamelCase or in foo.example.com/CamelCase.

pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

maxLength: 316

controllerName string required

ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: "example.net/gateway-controller". The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$

minLength: 1

maxLength: 253

No matches. Try .spec.clientIPDetection for an exact path