← Back to index Esc
Kind
Clienttrafficpolicy
Group
gateway.envoyproxy.io
Version
v1alpha1
apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Clienttrafficpolicy metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
Spec defines the desired state of ClientTrafficPolicy.
clientIPDetection object
ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
customHeader object
CustomHeader provides configuration for determining the client IP address for a request based on a trusted custom HTTP header. This uses the custom_header original IP detection extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto for more details.
failClosed boolean
FailClosed is a switch used to control the flow of traffic when client IP detection fails. If set to true, the listener will respond with 403 Forbidden when the client IP address cannot be determined.
name string required
Name of the header containing the original downstream remote address, if present.
pattern: ^[A-Za-z0-9-]+$
minLength: 1
maxLength: 255
xForwardedFor object
XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
numTrustedHops integer
NumTrustedHops specifies how many trusted hops to count from the rightmost side of the X-Forwarded-For (XFF) header when determining the original client’s IP address. If NumTrustedHops is set to N, the client IP is taken from the Nth address from the right end of the XFF header. Example: XFF = "203.0.113.128, 203.0.113.10, 203.0.113.1" NumTrustedHops = 2 → Trusted client address = 203.0.113.10 Only one of NumTrustedHops or TrustedCIDRs should be configured.
format: int32
trustedCIDRs []string
TrustedCIDRs is a list of CIDR ranges to trust when evaluating the remote IP address to determine the original client’s IP address. When the remote IP address matches a trusted CIDR and the x-forwarded-for header was sent, each entry in the x-forwarded-for header is evaluated from right to left and the first public non-trusted address is used as the original client address. If all addresses in x-forwarded-for are within the trusted list, the first (leftmost) entry is used. Only one of NumTrustedHops and TrustedCIDRs must be set.
minItems: 1
connection object
Connection includes client connection settings.
bufferLimit object
BufferLimit provides configuration for the maximum buffer size in bytes for each incoming connection. BufferLimit applies to connection streaming (maybe non-streaming) channel between processes, it's in user space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes. Default: 32768 bytes.
connectionLimit object
ConnectionLimit defines limits related to connections
closeDelay string
CloseDelay defines the delay to use before closing connections that are rejected once the limit value is reached. Default: none.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
maxConnectionDuration string
MaxConnectionDuration is the maximum amount of time a connection can remain established (usually via TCP/HTTP Keepalive packets) before being drained and/or closed. If not specified, there is no limit.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
maxRequestsPerConnection integer
MaxRequestsPerConnection defines the maximum number of requests allowed over a single connection. If not specified, there is no limit. Setting this parameter to 1 will effectively disable keep alive.
format: int32
maxStreamDuration string
MaxStreamDuration is the maximum amount of time to keep alive an http stream. When the limit is reached the stream will be reset independent of any other timeouts. If not specified, no value is set.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
value integer
Value of the maximum concurrent connections limit. When the limit is reached, incoming connections will be closed after the CloseDelay duration.
format: int64
minimum: 1
maxAcceptPerSocketEvent integer
MaxAcceptPerSocketEvent provides configuration for the maximum number of connections to accept from the kernel per socket event. If there are more than MaxAcceptPerSocketEvent connections pending accept, connections over this threshold will be accepted in later event loop iterations. Defaults to 1 and can be disabled by setting to 0 for allowing unlimited accepted connections.
format: int32
socketBufferLimit object
SocketBufferLimit provides configuration for the maximum buffer size in bytes for each incoming socket. SocketBufferLimit applies to socket streaming channel between TCP/IP stacks, it's in kernel space. For example, 20Mi, 1Gi, 256Ki etc. Note that when the suffix is not provided, the value is interpreted as bytes.
enableProxyProtocol boolean
EnableProxyProtocol interprets the ProxyProtocol header and adds the Client Address into the X-Forwarded-For header. Note Proxy Protocol must be present when this field is set, else the connection is closed. Deprecated: Use ProxyProtocol instead.
headers object
HeaderSettings provides configuration for header management.
disableRateLimitHeaders boolean
DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit-" response headers when rate limiting is enabled.
earlyRequestHeaders object
EarlyRequestHeaders defines settings for early request header modification, before envoy performs routing, tracing and built-in header manipulation.
add []object
Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. Input: GET /foo HTTP/1.1 my-header: foo Config: add: - name: "my-header" value: "bar,baz" Output: GET /foo HTTP/1.1 my-header: foo,bar,baz
minItems: 1
maxItems: 64
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
Value is the value of HTTP Header to be matched.
minLength: 1
maxLength: 4096
addIfAbsent []object
AddIfAbsent adds the given header(s) (name, value) to the request/response only if the header does not already exist. Unlike Add which appends to existing values, this is a no-op if the header is already present. Input: GET /foo HTTP/1.1 my-header: foo Config: addIfAbsent: - name: "my-header" value: "bar" Output: GET /foo HTTP/1.1 my-header: foo
minItems: 1
maxItems: 64
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
Value is the value of HTTP Header to be matched.
minLength: 1
maxLength: 4096
remove []string
Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz Config: remove: ["my-header1", "my-header3"] Output: GET /foo HTTP/1.1 my-header2: bar
minItems: 1
maxItems: 64
removeOnMatch []object
RemoveOnMatch removes headers whose names match the specified string matchers. Matching is performed on the header name (case-insensitive).
minItems: 1
maxItems: 64
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
set []object
Set overwrites the request with the given header (name, value) before the action. Input: GET /foo HTTP/1.1 my-header: foo Config: set: - name: "my-header" value: "bar" Output: GET /foo HTTP/1.1 my-header: bar
minItems: 1
maxItems: 64
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
Value is the value of HTTP Header to be matched.
minLength: 1
maxLength: 4096
enableEnvoyHeaders boolean
EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests and responses.
lateResponseHeaders object
LateResponseHeaders defines settings for global response header modification.
add []object
Add adds the given header(s) (name, value) to the request before the action. It appends to any existing values associated with the header name. Input: GET /foo HTTP/1.1 my-header: foo Config: add: - name: "my-header" value: "bar,baz" Output: GET /foo HTTP/1.1 my-header: foo,bar,baz
minItems: 1
maxItems: 64
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
Value is the value of HTTP Header to be matched.
minLength: 1
maxLength: 4096
addIfAbsent []object
AddIfAbsent adds the given header(s) (name, value) to the request/response only if the header does not already exist. Unlike Add which appends to existing values, this is a no-op if the header is already present. Input: GET /foo HTTP/1.1 my-header: foo Config: addIfAbsent: - name: "my-header" value: "bar" Output: GET /foo HTTP/1.1 my-header: foo
minItems: 1
maxItems: 64
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
Value is the value of HTTP Header to be matched.
minLength: 1
maxLength: 4096
remove []string
Remove the given header(s) from the HTTP request before the action. The value of Remove is a list of HTTP header names. Note that the header names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). Input: GET /foo HTTP/1.1 my-header1: foo my-header2: bar my-header3: baz Config: remove: ["my-header1", "my-header3"] Output: GET /foo HTTP/1.1 my-header2: bar
minItems: 1
maxItems: 64
removeOnMatch []object
RemoveOnMatch removes headers whose names match the specified string matchers. Matching is performed on the header name (case-insensitive).
minItems: 1
maxItems: 64
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
set []object
Set overwrites the request with the given header (name, value) before the action. Input: GET /foo HTTP/1.1 my-header: foo Config: set: - name: "my-header" value: "bar" Output: GET /foo HTTP/1.1 my-header: bar
minItems: 1
maxItems: 64
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent.
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
Value is the value of HTTP Header to be matched.
minLength: 1
maxLength: 4096
preserveXRequestID boolean
PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge (Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour. Defaults to false and cannot be combined with RequestID. Deprecated: use RequestID=PreserveOrGenerate instead
requestID string
RequestID configures Envoy's behavior for handling the `X-Request-ID` header. When omitted default behavior is `Generate` which builds the `X-Request-ID` for every request and ignores pre-existing values from the edge. (An "edge request" refers to a request from an external client to the Envoy entrypoint.)
enum: PreserveOrGenerate, Preserve, Generate, Disable
withUnderscoresAction string
WithUnderscoresAction configures the action to take when an HTTP header with underscores is encountered. The default action is to reject the request.
enum: Allow, RejectRequest, DropHeader
xForwardedClientCert object
XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header. x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate information of part or all of the clients or proxies that a request has flowed through, on its way from the client to the server. Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request. If not set, the default behavior is sanitizing the XFCC header.
certDetailsToAdd []string
CertDetailsToAdd specifies the fields in the client certificate to be forwarded in the XFCC header. Hash(the SHA 256 digest of the current client certificate) and By(the Subject Alternative Name) are always included if the client certificate is forwarded. This field is only applicable when the mode is set to `AppendForward` or `SanitizeSet` and the client connection is mTLS.
maxItems: 5
mode string
Mode defines how XFCC header is handled by Envoy Proxy. If not set, the default mode is `Sanitize`.
enum: Sanitize, ForwardOnly, AppendForward, SanitizeSet, AlwaysForwardOnly
healthCheck object
HealthCheck provides configuration for determining whether the HTTP/HTTPS listener is healthy.
path string required
Path specifies the HTTP path to match on for health check requests.
minLength: 1
maxLength: 1024
http1 object
HTTP1 provides HTTP/1 configuration on the listener.
disableSafeMaxConnectionDuration boolean
DisableSafeMaxConnectionDuration controls the close behavior for HTTP/1 connections. By default, connection closure is delayed until the next request arrives after maxConnectionDuration is exceeded. It then adds a Connection: close header and gracefully closes the connection after the response completes. When set to true (disabled), Envoy uses its default drain behavior, closing the connection shortly after maxConnectionDuration elapses. Has no effect unless maxConnectionDuration is set.
enableTrailers boolean
EnableTrailers defines if HTTP/1 trailers should be proxied by Envoy.
http10 object
HTTP10 turns on support for HTTP/1.0 and HTTP/0.9 requests.
useDefaultHost boolean
UseDefaultHost specifies whether a default Host header should be injected into HTTP/1.0 requests that do not include one. When set to true, Envoy Gateway injects the hostname associated with the listener or route into the request, in the following order: 1. If the targeted listener has a non-wildcard hostname, use that hostname. 2. If there is exactly one HTTPRoute with a non-wildcard hostname under the targeted listener, use that hostname. Note: Setting this field to true without a non-wildcard hostname makes the ClientTrafficPolicy invalid.
preserveHeaderCase boolean
PreserveHeaderCase defines if Envoy should preserve the letter case of headers. By default, Envoy will lowercase all the headers.
http2 object
HTTP2 provides HTTP/2 configuration on the listener.
initialConnectionWindowSize object
InitialConnectionWindowSize sets the initial window size for HTTP/2 connections. If not set, the default value is 1 MiB.
initialStreamWindowSize object
InitialStreamWindowSize sets the initial window size for HTTP/2 streams. If not set, the default value is 64 KiB(64*1024).
maxConcurrentStreams integer
MaxConcurrentStreams sets the maximum number of concurrent streams allowed per connection. If not set, the default value is 100.
format: int32
minimum: 1
maximum: 2.147483647e+09
onInvalidMessage string
OnInvalidMessage determines if Envoy will terminate the connection or just the offending stream in the event of HTTP messaging error It's recommended for L2 Envoy deployments to set this value to TerminateStream. https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/level_two Default: TerminateConnection
http3 object
HTTP3 provides HTTP/3 configuration on the listener.
path object
Path enables managing how the incoming path set by clients can be normalized.
disableMergeSlashes boolean
DisableMergeSlashes allows disabling the default configuration of merging adjacent slashes in the path. Note that slash merging is not part of the HTTP spec and is provided for convenience.
escapedSlashesAction string
EscapedSlashesAction determines how %2f, %2F, %5c, or %5C sequences in the path URI should be handled. The default is UnescapeAndRedirect.
enum: KeepUnchanged, RejectRequest, UnescapeAndForward, UnescapeAndRedirect
proxyProtocol object
ProxyProtocol configures the Proxy Protocol settings. When configured, the Proxy Protocol header will be interpreted and the Client Address will be added into the X-Forwarded-For header. If both EnableProxyProtocol and ProxyProtocol are set, ProxyProtocol takes precedence.
optional boolean
Optional allows requests without a Proxy Protocol header to be proxied. If set to true, the listener will accept requests without a Proxy Protocol header. If set to false, the listener will reject requests without a Proxy Protocol header. If not set, the default behavior is to reject requests without a Proxy Protocol header. Warning: Optional breaks conformance with the specification. Only enable if ALL traffic to the listener comes from a trusted source. For more information on security implications, see haproxy.org/download/2.1/doc/proxy-protocol.txt
scheme string
Scheme configures how the :scheme pseudo-header is set for requests forwarded to backends. - Preserve (default): Preserves the :scheme from the original client request. Use this when backends need to know the original client scheme for URL generation or redirects. - MatchBackend: Sets the :scheme to match the backend transport protocol. If the backend uses TLS, the scheme is "https", otherwise "http". Use this when backends require the scheme to match the actual transport protocol, such as strictly HTTPS services that validate the :scheme header.
enum: Preserve, MatchBackend
targetRef object
TargetRef is the name of the resource this policy is being attached to. This policy and the TargetRef MUST be in the same namespace for this Policy to have effect Deprecated: use targetRefs/targetSelectors instead
group string required
Group is the group of the target resource.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string required
Kind is kind of the target resource.
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the target resource.
minLength: 1
maxLength: 253
sectionName string
SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
targetRefs []object
TargetRefs are the names of the Gateway resources this policy is being attached to.
group string required
Group is the group of the target resource.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string required
Kind is kind of the target resource.
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the target resource.
minLength: 1
maxLength: 253
sectionName string
SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
targetSelectors []object
TargetSelectors allow targeting resources for this policy based on labels
group string
Group is the group that this selector targets. Defaults to gateway.networking.k8s.io
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string required
Kind is the resource kind that this selector targets.
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
matchExpressions []object
MatchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
MatchLabels are the set of label selectors for identifying the targeted resource
tcpKeepalive object
TcpKeepalive settings associated with the downstream client connection. If defined, sets SO_KEEPALIVE on the listener socket to enable TCP Keepalives. Disabled by default.
idleTime string
The duration a connection needs to be idle before keep-alive probes start being sent. The duration format is Defaults to `7200s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
interval string
The duration between keep-alive probes. Defaults to `75s`.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
probes integer
The total number of unacknowledged probes to send before deciding the connection is dead. Defaults to 9.
format: int32
timeout object
Timeout settings for the client connections.
http object
Timeout settings for HTTP.
idleTimeout string
IdleTimeout for an HTTP connection. Idle time is defined as a period in which there are no active requests in the connection. Default: 1 hour.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
requestReceivedTimeout string
RequestReceivedTimeout is the duration envoy waits for the complete request reception. This timer starts upon request initiation and stops when either the last byte of the request is sent upstream or when the response begins.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
streamIdleTimeout string
The stream idle timeout defines the amount of time a stream can exist without any upstream or downstream activity. Default: 5 minutes.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
tcp object
Timeout settings for TCP.
idleTimeout string
IdleTimeout for a TCP connection. Idle time is defined as a period in which there are no bytes sent or received on either the upstream or downstream connection. Default: 1 hour.
pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$
tls object
TLS settings configure TLS termination settings with the downstream client.
alpnProtocols []string
ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener or used by the proxy to connect to the backend. Defaults: 1. HTTPS Routes: h2 and http/1.1 are enabled in listener context. 2. Other Routes: ALPN is disabled. 3. Backends: proxy uses the appropriate ALPN options for the backend protocol. When an empty list is provided, the ALPN TLS extension is disabled. Defaults to [h2, http/1.1] if not specified. Typical Supported values are: - http/1.0 - http/1.1 - h2
ciphers []string
Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 In builds using BoringSSL FIPS the default cipher list is: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
clientValidation object
ClientValidation specifies the configuration to validate the client initiating the TLS connection to the Gateway listener.
caCertificateRefs []object
CACertificateRefs contains one or more references to Kubernetes objects that contain TLS certificates of the Certificate Authorities that can be used as a trust anchor to validate the certificates presented by the client. A single reference to a Kubernetes ConfigMap or a Kubernetes Secret, with the CA certificate in a key named `ca.crt` is currently supported. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached.
maxItems: 8
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is kind of the referent. For example "Secret".
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
certificateHashes []string
An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
crl object
Crl specifies the crl configuration that can be used to validate the client initiating the TLS connection
onlyVerifyLeafCertificate boolean
If this option is set to true, Envoy will only verify the certificate at the end of the certificate chain against the CRL. Defaults to false, which will verify the entire certificate chain against the CRL.
refs []object required
Refs contains one or more references to a Kubernetes ConfigMap or a Kubernetes Secret, containing the certificate revocation list in PEM format Expects the content in a key named `ca.crl`. References to a resource in different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the crl to be attached.
minItems: 1
maxItems: 8
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is kind of the referent. For example "Secret".
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
optional boolean
Optional set to true accepts connections even when a client doesn't present a certificate. Defaults to false, which rejects connections without a valid client certificate.
spkiHashes []string
An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
subjectAltNames object
An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers
dnsNames []object
DNS names matchers
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
emailAddresses []object
Email addresses matchers
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
ipAddresses []object
IP addresses matchers
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
otherNames []object
Other names matchers
oid string required
OID Value
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
uris []object
URIs matchers
type string
Type specifies how to match against a string.
enum: Exact, Prefix, Suffix, RegularExpression
value string required
Value specifies the string value that the match must have.
minLength: 1
maxLength: 1024
ecdhCurves []string
ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256 In builds using BoringSSL FIPS the default curve is: - P-256
maxVersion string
Max specifies the maximal TLS protocol version to allow The default is TLS 1.3 if this is not specified.
enum: Auto, 1.0, 1.1, 1.2, 1.3
minVersion string
Min specifies the minimal TLS protocol version to allow. The default is TLS 1.2 if this is not specified.
enum: Auto, 1.0, 1.1, 1.2, 1.3
session object
Session defines settings related to TLS session management.
resumption object
Resumption determines the proxy's supported TLS session resumption option. By default, Envoy Gateway does not enable session resumption. Use sessionResumption to enable stateful and stateless session resumption. Users should consider security impacts of different resumption methods. Performance gains from resumption are diminished when Envoy proxy is deployed with more than one replica.
stateful object
Stateful defines setting for stateful (session-id based) session resumption
stateless object
Stateless defines setting for stateless (session-ticket based) session resumption
signatureAlgorithms []string
SignatureAlgorithms specifies which signature algorithms the listener should support.
status object
Status defines the current status of ClientTrafficPolicy.
ancestors []object required
Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy.
maxItems: 16
ancestorRef object required
AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of.
group string
Group is the group of the referent. When unspecified, "gateway.networking.k8s.io" is inferred. To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). Support: Core
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is kind of the referent. There are two kinds of parent resources with "Core" support: * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific.
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent. Support: Core
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. <gateway:experimental:description> ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. </gateway:experimental:description> Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. <gateway:experimental:description> When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. </gateway:experimental:description> Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended
format: int32
minimum: 1
maximum: 65535
sectionName string
SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
conditions []object required
Conditions describes the status of the Policy with respect to the given Ancestor. <gateway:util:excludeFromCRD> Notes for implementors: Conditions are a listType `map`, which means that they function like a map with a key of the `type` field _in the k8s apiserver_. This means that implementations must obey some rules when updating this section. * Implementations MUST perform a read-modify-write cycle on this field before modifying it. That is, when modifying this field, implementations must be confident they have fetched the most recent version of this field, and ensure that changes they make are on that recent version. * Implementations MUST NOT remove or reorder Conditions that they are not directly responsible for. For example, if an implementation sees a Condition with type `special.io/SomeField`, it MUST NOT remove, change or update that Condition. * Implementations MUST always _merge_ changes into Conditions of the same Type, rather than creating more than one Condition of the same Type. * Implementations MUST always update the `observedGeneration` field of the Condition to the `metadata.generation` of the Gateway at the time of update creation. * If the `observedGeneration` of a Condition is _greater than_ the value the implementation knows about, then it MUST NOT perform the update on that Condition, but must wait for a future reconciliation and status update. (The assumption is that the implementation's copy of the object is stale and an update will be re-triggered if relevant.) </gateway:util:excludeFromCRD>
minItems: 1
maxItems: 8
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316
controllerName string required
ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: "example.net/gateway-controller". The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$
minLength: 1
maxLength: 253
Copied!