BackendTLSPolicy
gateway.networking.k8s.io/v1
Gateway API Versionv1.6.0
BackendTLSPolicy provides a way to configure how a Gateway connects to a Backend via TLS.
---
config:
theme: base
themeVariables:
secondaryColor: '#ffffff'
---
block
columns 7
classDef al_ref_box fill:#F2F2F2,stroke:#555;
classDef al_mgw_box fill:#70991F,stroke:#555;
classDef al_gwapi_box fill:#326CE5,stroke:#555;
classDef al_std_box fill:#808B8F,stroke:#555;
classDef al_self_box fill:#326CE5,stroke:#777,stroke-width:5px;
space:2
block:Targets:3
columns 3
Service["<a href='https://kubernetes.io/docs/concepts/services-networking/service/'> Service </a>"]
space:2
class Service al_std_box
end
class Targets al_ref_box
space:2
space:7
space:3
BackendTLSPolicy["<a href='../../../gateway-api/backend-tls-policy/v1'> <b>BackendTLSPolicy</b> </a>"]
class BackendTLSPolicy al_self_box
space:3
BackendTLSPolicy -- "<i>attaches to</i>" --> Targets
BackendTLSPolicy
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired state of BackendTLSPolicy. | object | yes | ||
| status | defines the current state of BackendTLSPolicy. | object | no |
BackendTLSPolicy.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| options |
Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.
Supported options:
|
map[string]string | no | ||
| targetRefs |
TargetRefs identifies an API object to apply the policy to.
Accepted Condition is set to status: False, with Reason Conflicted. Implementations SHOULD NOT support more than one targetRef at this time. Although the API technically allows for this, the current guidance for conflict resolution and status handling is lacking. Until that can be clarified in a future release, the safest approach is to support a single targetRef. Support Levels:
They SHOULD clearly document how BackendTLSPolicy is interpreted in these scenarios, including:
Supported kinds: Service |
object[] | yes | ||
| validation | contains backend TLS validation configuration. | object | yes |
BackendTLSPolicy.spec.targetRefs[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group | Group is the group of the target resource.
Supported groups: |
string | yes | ||
| kind | Kind is kind of the target resource. Supported kinds: Service |
string | yes | ||
| name | is the name of the target resource. | string | yes | ||
| sectionName | is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a ResolvedRefs or similar Condition in the Policy’s status. |
string | no |
BackendTLSPolicy.spec.validation
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| caCertificateRefs |
CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.
In all cases, the implementation MUST ensure the ResolvedRefs Condition on the BackendTLSPolicy is set to status: False, with a Reason and Message that indicate the cause of the error. Connections using an invalid CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error response. If ALL CACertificateRefs are invalid, the implementation MUST also ensure the Accepted Condition on the BackendTLSPolicy is set to status: False, with a Reason NoValidCACertificate. A single CACertificateRef to a Kubernetes ConfigMap kind has “Core” support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific. Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt. Support: Implementation-specific - More than one reference, other kinds of resources, or a single reference that includes multiple certificates. |
object[] | no | ||
| hostname | is used for two purposes in the connection between Gateways and backends:
|
string | yes | ||
| subjectAltNames | contains one or more Subject Alternative Names. When specified the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames. |
object[] | no | ||
| wellKnownCACertificates |
WellKnownCACertificates specifies whether a well-known set of CA certificates may be used in the TLS handshake between the gateway and backend pod.
mycompany.com/my-custom-ca-certificates.
Supported values:
|
string | no |
BackendTLSPolicy.spec.validation.caCertificateRefs[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group |
Group is the group of the referent. For example, “gateway.networking.k8s.io”.
Supported groups: |
string | yes | ||
| kind | Kind is kind of the referent. For example “HTTPRoute” or “Service”. |
string | yes | ||
| name | is the name of the referent. | string | yes |
BackendTLSPolicy.spec.validation.subjectAltNames[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| hostname | contains Subject Alternative Name specified in DNS name format. Required when Type is set to Hostname, ignored otherwise. |
string | no | ||
| type | determines the format of the Subject Alternative Name. Always required. | enum | yes | Hostname, URI |
|
| uri | contains Subject Alternative Name specified in a full URI format. It MUST include both a scheme (e.g., “http” or “ftp”) and a scheme-specific-part. Common values include SPIFFE IDs like “spiffe://mycluster.example.com/ns/myns/sa/svc1sa”. Required when Type is set to URI, ignored otherwise. |
string | no |
BackendTLSPolicy.status
| Field | Description | Type |
|---|---|---|
| ancestors | is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy. |
object[] |
BackendTLSPolicy.status.ancestors[]
| Field | Description | Type |
|---|---|---|
| ancestorRef | corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. | object |
| conditions | Conditions describes the status of the Policy with respect to the given Ancestor.
Possible conditions:
|
Condition[] |
| controllerName | is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. |
string |
BackendTLSPolicy.status.ancestors[].ancestorRef
| Field | Description | Type |
|---|---|---|
| group | is the group of the referent. When unspecified, “gateway.networking.k8s.io” is inferred. To set the core API group (such as for a “Service” kind referent), Group must be explicitly set to "" (empty string). |
string |
| kind | is kind of the referent. There are two kinds of parent resources with “Core” support: Support for other resources is Implementation-Specific. |
string |
| name | is the name of the referent. | string |
| namespace | is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. Note: This section only applies to the Gateway API experimental channel ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. |
string |
| port | is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It’s not recommended to set Port unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. Note: This section only applies to the Gateway API experimental channel When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. |
int32 |
| sectionName | is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following:
If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. |
string |