Gateway
gateway.networking.k8s.io/v1
Gateway API Versionv1.6.0
Gateway represents an instance of a service-traffic handling infrastructure by binding Listeners to a set of IP addresses.
A Gateway name SHOULD be compliant with RFC 1035, consisting of a maximum of 63 lower case alphanumeric characters or hyphens (’-’), and MUST start and end with an alphanumeric character.
---
config:
theme: base
themeVariables:
secondaryColor: '#ffffff'
---
block
columns 7
classDef al_ref_box fill:#F2F2F2,stroke:#555;
classDef al_mgw_box fill:#70991F,stroke:#555;
classDef al_gwapi_box fill:#326CE5,stroke:#555;
classDef al_std_box fill:#808B8F,stroke:#555;
classDef al_self_box fill:#326CE5,stroke:#777,stroke-width:5px;
block:RefBy:1
columns 1
ReferenceGrant["<a href='../../../gateway-api/reference-grant/v1'> ReferenceGrant </a>"]
space:1
class ReferenceGrant al_gwapi_box
end
class RefBy al_ref_box
space:2
Gateway["<a href='../../../gateway-api/gateway/v1'> <b>Gateway</b> </a>"]
class Gateway al_self_box
space:2
block:Ref:1
columns 1
GatewayClass["<a href='../../../gateway-api/gateway-class/v1'> GatewayClass </a>"]
GatewayParameters["<a href='../../../microgateway/gateway-parameters/v1alpha1'> GatewayParameters </a>"]
class GatewayParameters al_mgw_box
class GatewayClass al_gwapi_box
end
class Ref al_ref_box
space:7
space:2
block:TargetedBy:3
columns 3
HTTPRoute["<a href='../../../gateway-api/http-route/v1'> HTTPRoute </a>"]
ListenerSet["<a href='../../../gateway-api/listener-set/v1'> ListenerSet </a>"]
space:1
class HTTPRoute,ListenerSet al_gwapi_box
end
class TargetedBy al_ref_box
space:2
RefBy -- "<br><i>references</i>" --> Gateway
Gateway -- "<br><i>references</i>" --> Ref
TargetedBy -- "<i>attaches to</i>" --> Gateway
Gateway
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired state of Gateway. | object | yes | ||
| status | defines the current state of Gateway. | object | no |
Gateway.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| addresses | Not supported | object[] | no | ||
| allowedListeners | defines which ListenerSets can be attached to this Gateway. The default value is to allow no ListenerSets. |
object | no | ||
| defaultScope | Not supported | enum | no | All, None |
|
| gatewayClassName | used for this Gateway. This is the name of a GatewayClass resource. | string | yes | ||
| infrastructure | defines infrastructure level attributes about this Gateway instance. | object | no | ||
| listeners | associated with this Gateway. Listeners define logical endpoints that are bound on this Gateway’s addresses. At least one Listener MUST be specified. Distinct ListenersEach Listener in a set of Listeners (for example, in a single Gateway) MUST be distinct, in that a traffic flow MUST be able to be assigned to exactly one listener. (This section uses “set of Listeners” rather than “Listeners in a single Gateway” because implementations MAY merge configuration from multiple Gateways onto a single data plane, and these rules also apply in that case).Practically, this means that each listener in a set MUST have a unique combination of Port, Protocol, and, if supported by the protocol, Hostname. Some combinations of port, protocol, and TLS settings are considered Core support and MUST be supported by implementations based on the objects they support: HTTPRoute
The implementation can match inbound requests to a single distinct Listener. When multiple Listeners share values for fields (for example, two Listeners with the same Port value), the implementation can match requests to only one of the Listeners using other Listener fields. When multiple listeners have the same value for the Protocol field, then each of the Listeners with matching Protocol values MUST have different values for other fields. The set of fields that MUST be different for a Listener differs per protocol. The following rules define the rules for what fields MUST be considered for Listeners to be distinct with each protocol currently defined in the Gateway API spec. The set of listeners that all share a protocol value MUST have different values for at least one of these fields to be distinct:
If an implementation does not support TCP Protocol Listeners, then the previous rule does not apply, and the TCP Listeners SHOULD NOT be accepted. Note that the tls field is not used for determining if a listener is distinct, because Listeners that only differ on TLS config will still conflict in all cases. Listeners that are distinct only by HostnameWhen the Listeners are distinct based only on Hostname, inbound request hostnames MUST match from the most specific to least specific Hostname values to choose the correct Listener and its associated set of Routes.Exact matches MUST be processed before wildcard matches, and wildcard matches MUST be processed before fallback (empty Hostname value) matches. For example, "foo.example.com" takes precedence over "*.example.com", and "*.example.com" takes precedence over "". Additionally, if there are multiple wildcard entries, more specific wildcard entries must be processed before less specific wildcard entries. For example, "*.foo.example.com" takes precedence over "*.example.com". The precise definition here is that the higher the number of dots in the hostname to the right of the wildcard character, the higher the precedence. The wildcard character will match any number of characters and dots to the left, however, so "*.example.com" will match both "foo.bar.example.com" and "bar.example.com". Handling indistinct ListenersIf a set of Listeners contains Listeners that are not distinct, then those Listeners are Conflicted, and the implementation MUST set the “Conflicted” condition in the Listener Status to “True”.The words “indistinct” and “conflicted” are considered equivalent for the purpose of this documentation. Implementations MAY choose to accept a Gateway with some Conflicted Listeners only if they only accept the partial Listener set that contains no Conflicted Listeners. Specifically, an implementation MAY accept a partial Listener set subject to the following rules:
General Listener behaviorNote that, for all distinct Listeners, requests SHOULD match at most one Listener.For example, if Listeners are defined for “foo.example.com” and “.example.com”, a request to “foo.example.com” SHOULD only be routed using routes attached to the “foo.example.com” Listener (and not the “.example.com” Listener). If traffic to a Gateway does not match any Listener’s hostname (or if the Listener does not specify a hostname and the request does not match any attached Route), the request MUST be rejected. The specific mechanism for rejection depends on the protocol: HTTP returns a 404 status code, while gRPC returns an Unimplemented status code. This concept is known as “Listener Isolation”, and it is an Extended feature of Gateway API. Implementations that do not support Listener Isolation MUST clearly document this, and MUST NOT claim support for the GatewayHTTPListenerIsolation feature. Implementations that do support Listener Isolation SHOULD claim support for the Extended GatewayHTTPListenerIsolation feature and pass the associated conformance tests. Compatible ListenersA Gateway’s Listeners are considered compatible if:
For example, an implementation that cannot serve both TCP and UDP listeners on the same address, or cannot mix HTTPS and generic TLS listens on the same port would not consider those cases compatible, even though they are distinct. Implementations MAY merge separate Gateways onto a single set of Addresses if all Listeners across all Gateways are compatible. In a future release the MinItems=1 requirement MAY be dropped. |
object[] | yes | ||
| tls | specifies frontend and backend tls configuration for entire gateway. | object | no |
Gateway.spec.addresses[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| type | of the address. | string | no | IPAddress |
|
| value | When a value is unspecified, an implementation SHOULD automatically assign an address matching the requested type if possible. If an implementation does not support an empty value, they MUST set the “Programmed” condition in status to False with a reason of “AddressNotAssigned”. Examples: 1.2.3.4, 128::1, my-ip-address. |
string | no |
Gateway.spec.allowedListeners
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| namespaces | defines which namespaces ListenerSets can be attached to this Gateway. The default value is to allow no ListenerSets. |
object | no |
Gateway.spec.allowedListeners.namespaces
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| from | indicates where ListenerSets can attach to this Gateway. Possible values are:
|
string | no | None |
All, None, Same, Selector |
| selector | must be specified when From is set to “Selector”. In that case, only ListenerSets in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of “From”. | LabelSelector | no |
Gateway.spec.infrastructure
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| annotations | that SHOULD be applied to any resources created in response to this Gateway. For implementations creating other Kubernetes objects, this should be the metadata.annotations field on resources. For other implementations, this refers to any relevant (implementation specific) “annotations” concepts. An implementation may chose to add additional implementation-specific annotations as they see fit. |
map[string]string | no | ||
| labels | that SHOULD be applied to any resources created in response to this Gateway. For implementations creating other Kubernetes objects, this should be the metadata.labels field on resources. For other implementations, this refers to any relevant (implementation specific) “labels” concepts. An implementation may chose to add additional implementation-specific labels as they see fit. If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels change, it SHOULD clearly warn about this behavior in documentation. |
map[string]string | no | ||
| parametersRef |
ParametersRef is a reference to a resource that contains the configuration parameters corresponding to the Gateway. This is optional if the controller does not require any additional configuration. Supported kinds: GatewayParameters |
object | no |
Gateway.spec.infrastructure.parametersRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group | Group is the group of the referent.
Supported groups: |
string | yes | ||
| kind | Kind is kind of the referent. Supported kinds: GatewayParameters |
string | yes | ||
| name | is the name of the referent. | string | yes |
Gateway.spec.listeners[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| allowedRoutes | defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. Although a client request may match multiple route rules, only one rule may ultimately receive the request. Matching precedence MUST be determined in order of the following criteria:
|
object | no | ||
| hostname | specifies the virtual hostname to match for protocol types that define this concept. When unspecified, all hostnames are matched. This field is ignored for protocols that don’t require hostname based matching. Implementations MUST apply Hostname matching appropriately for each of the following protocols:
Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the reuse of a connection by responding with the HTTP 421 Misdirected Request status code. This indicates that the origin server has rejected the request because it appears to have been misdirected. To detect misdirected requests, Gateways SHOULD match the authority of the requests with all the SNI hostname(s) configured across all the Gateway Listeners on the same port and protocol:
spec.hostnames array. When both listener and route specify hostnames, there MUST be an intersection between the values for a Route to be accepted. For more information, refer to the Route specific Hostnames documentation. Hostnames that are prefixed with a wildcard label ( *.) are interpreted as a suffix match. That means that a match for *.example.com would match both test.example.com, and foo.test.example.com, but not example.com. |
string | no | ||
| name | is the name of the Listener. This name MUST be unique within a Gateway. | string | yes | ||
| port | is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules. | int32 | yes | [1, 65535] |
|
| protocol | Protocol specifies the network protocol this listener expects to receive.
Supported protocols:
|
string | yes | ||
| tls | is the TLS configuration for the Listener. This field is required if the Protocol field is “HTTPS” or “TLS”. It is invalid to set this field if the Protocol field is “HTTP”, “TCP”, or “UDP”. The association of SNIs to Certificate defined in ListenerTLSConfig is defined based on the Hostname field for this listener. The GatewayClass MUST use the longest matching SNI out of all available certificates for any TLS handshake. |
object | no |
Gateway.spec.listeners[].allowedRoutes
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| kinds |
Kinds specifies the groups and kinds of Routes that are allowed to bind to this Gateway Listener. When unspecified or empty, the kinds of Routes selected are determined using the Listener protocol. Supported kinds: HTTPRoute |
object[] | no | ||
| namespaces | indicates namespaces from which Routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. | object | no |
Gateway.spec.listeners[].allowedRoutes.kinds[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group | Group is the group of the Route.
Supported groups: |
string | no | gateway.networking.k8s.io |
|
| kind | Kind is the kind of the Route. Supported kinds: HTTPRoute |
string | yes |
Gateway.spec.listeners[].allowedRoutes.namespaces
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| from | indicates where Routes will be selected for this Gateway. Possible values are: |
string | no | Same |
All, Same, Selector |
| selector | must be specified when From is set to “Selector”. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway. This field is ignored for other values of “From”. | LabelSelector | no |
Gateway.spec.listeners[].tls
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| certificateRefs |
CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. Supported kinds: Secret |
object[] | no | ||
| mode | defines the TLS behavior for the TLS session initiated by the client. There are two possible modes:
|
enum | no | Terminate |
Passthrough, Terminate |
| options |
Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.
Supported options:
|
map[string]string | no |
Gateway.spec.listeners[].tls.certificateRefs[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group |
Group is the group of the referent. For example, “gateway.networking.k8s.io”.
Supported groups: |
string | no | "" |
|
| kind | Kind is kind of the referent. For example “Secret”. Supported kinds: Secret |
string | no | Secret |
|
| name | is the name of the referent. | string | yes | ||
| namespace | is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. |
string | no |
Gateway.spec.tls
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| backend | describes TLS configuration for gateway when connecting to backends. Note that this contains only details for the Gateway as a TLS client, and does not imply behavior about how to choose which backend should get a TLS connection. That is determined by the presence of a BackendTLSPolicy. |
object | no | ||
| frontend | describes TLS config when client connects to Gateway. | object | no |
Gateway.spec.tls.backend
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientCertificateRef |
ClientCertificateRef references an object that contains a client certificate and its associated private key. It can reference standard Kubernetes resources, i.e., Secret, or implementation-specific custom resources.
Support: Core - Reference to a Kubernetes TLS Secret (with the type kubernetes.io/tls). Support: Implementation-specific - Other resource kinds or Secrets with a different type (e.g., Opaque).
Supported kinds: Secret |
object | no |
Gateway.spec.tls.backend.clientCertificateRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group |
Group is the group of the referent. For example, “gateway.networking.k8s.io”.
Supported groups: |
string | no | "" |
|
| kind | Kind is kind of the referent. For example “Secret”. Supported kinds: Secret |
string | no | Secret |
|
| name | is the name of the referent. | string | yes | ||
| namespace | is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. |
string | no |
Gateway.spec.tls.frontend
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| default | specifies the default client certificate validation configuration for all Listeners handling HTTPS traffic, unless a per-port configuration is defined. | object | yes | ||
| perPort | specifies tls configuration assigned per port. Per port configuration is optional. Once set this configuration overrides the default configuration for all Listeners handling HTTPS traffic that match this port. Each override port requires a unique TLS configuration. |
object[] | no |
Gateway.spec.tls.frontend.default
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| validation | holds configuration information for validating the frontend (client). Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. |
object | no |
Gateway.spec.tls.frontend.default.validation
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| caCertificateRefs |
CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used as a trust anchor to validate the certificates presented by the client.
In such cases, an implementation-specific Reason and Message MUST be set. In all cases, the implementation MUST ensure that the ResolvedRefs condition is set to status: False on all targeted listeners (i.e., listeners serving HTTPS on a matching port). The condition MUST include a Reason and Message that indicate the cause of the error. If ALL CACertificateRefs are invalid, the implementation MUST also ensure the Accepted condition on the listener is set to status: False, with the Reason NoValidCACertificate. Implementations MAY choose to support attaching multiple CA certificates to a listener, but this behavior is implementation-specific. Support: Core - A single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt. Support: Implementation-specific - More than one reference, other kinds of resources, or a single reference that includes multiple certificates. |
object[] | yes | ||
| mode | FrontendValidationMode defines the mode for validating the client certificate. There are two possible modes:
Defaults to AllowValidOnly. |
enum | no | AllowValidOnly |
AllowInsecureFallback, AllowValidOnly |
Gateway.spec.tls.frontend.default.validation.caCertificateRefs[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group |
Group is the group of the referent. For example, “gateway.networking.k8s.io”.
Supported groups: |
string | yes | ||
| kind | Kind is kind of the referent. For example “ConfigMap” or “Service”. |
string | yes | ||
| name | is the name of the referent. | string | yes | ||
| namespace | is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. |
string | no |
Gateway.spec.tls.frontend.perPort[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| port | The Port indicates the Port Number to which the TLS configuration will be applied. This configuration will be applied to all Listeners handling HTTPS traffic that match this port. | int32 | yes | [1, 65535] |
|
| tls | store the configuration that will be applied to all Listeners handling HTTPS traffic and matching given port. | object | yes |
Gateway.spec.tls.frontend.perPort[].tls
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| validation | holds configuration information for validating the frontend (client). Setting this field will result in mutual authentication when connecting to the gateway. In browsers this may result in a dialog appearing that requests a user to specify the client certificate. The maximum depth of a certificate chain accepted in verification is Implementation specific. |
object | no |
Gateway.spec.tls.frontend.perPort[].tls.validation
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| caCertificateRefs |
CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used as a trust anchor to validate the certificates presented by the client.
In such cases, an implementation-specific Reason and Message MUST be set. In all cases, the implementation MUST ensure that the ResolvedRefs condition is set to status: False on all targeted listeners (i.e., listeners serving HTTPS on a matching port). The condition MUST include a Reason and Message that indicate the cause of the error. If ALL CACertificateRefs are invalid, the implementation MUST also ensure the Accepted condition on the listener is set to status: False, with the Reason NoValidCACertificate. Implementations MAY choose to support attaching multiple CA certificates to a listener, but this behavior is implementation-specific. Support: Core - A single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt. Support: Implementation-specific - More than one reference, other kinds of resources, or a single reference that includes multiple certificates. |
object[] | yes | ||
| mode | FrontendValidationMode defines the mode for validating the client certificate. There are two possible modes:
Defaults to AllowValidOnly. |
enum | no | AllowValidOnly |
AllowInsecureFallback, AllowValidOnly |
Gateway.spec.tls.frontend.perPort[].tls.validation.caCertificateRefs[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group |
Group is the group of the referent. For example, “gateway.networking.k8s.io”.
Supported groups: |
string | yes | ||
| kind | Kind is kind of the referent. For example “ConfigMap” or “Service”. |
string | yes | ||
| name | is the name of the referent. | string | yes | ||
| namespace | is the namespace of the referenced object. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details. |
string | no |
Gateway.status
| Field | Description | Type |
|---|---|---|
| addresses | lists the network addresses that have been bound to the Gateway. This list may differ from the addresses provided in the spec under some conditions:
|
object[] |
| attachedListenerSets | represents the total number of ListenerSets that have been successfully attached to this Gateway. A ListenerSet is successfully attached to a Gateway when all the following conditions are met:
|
int32 |
| conditions | describe the current status of the Gateway.
Possible conditions:
|
Condition[] |
| listeners | provide status for each unique listener port defined in the Spec. | object[] |
Gateway.status.addresses[]
| Field | Description | Type |
|---|---|---|
| type | of the address. | string |
| value | of the address. The validity of the values will depend on the type and support by the controller. Examples: 1.2.3.4, 128::1, my-ip-address. |
string |
Gateway.status.listeners[]
| Field | Description | Type |
|---|---|---|
| attachedRoutes | represents the total number of Routes that have been successfully attached to this Listener. Successful attachment of a Route to a Listener is based solely on the combination of the AllowedRoutes field on the corresponding Listener and the Route’s ParentRefs field. A Route is successfully attached to a Listener when it is selected by the Listener’s AllowedRoutes field AND the Route has a valid ParentRef selecting the whole Gateway resource or a specific Listener as a parent resource (more detail on attachment semantics can be found in the documentation on the various Route kinds ParentRefs fields). Listener or Route status does not impact successful attachment, i.e. the AttachedRoutes field count MUST be set for Listeners, even if the Accepted condition of an individual Listener is set to “False”. The AttachedRoutes number represents the number of Routes with the Accepted condition set to “True” that have been attached to this Listener. Routes with any other value for the Accepted condition MUST NOT be included in this count. Uses for this field include troubleshooting Route attachment and measuring blast radius/impact of changes to a Listener. |
int32 |
| conditions | Conditions describe the current condition of this listener.
Possible conditions:
|
Condition[] |
| name | is the name of the Listener that this status corresponds to. | string |
| supportedKinds | is the list indicating the Kinds supported by this listener. This MUST represent the kinds supported by an implementation for that Listener configuration. If kinds are specified in Spec that are not supported, they MUST NOT appear in this list and an implementation MUST set the “ResolvedRefs” condition to “False” with the “InvalidRouteKinds” reason. If both valid and invalid Route kinds are specified, the implementation MUST reference the valid Route kinds that have been specified. |
object[] |
Gateway.status.listeners[].supportedKinds[]
| Field | Description | Type |
|---|---|---|
| group | is the group of the Route. | string |
| kind | is the kind of the Route. | string |