AccessControlPolicy
microgateway.airlock.com/v1alpha1
AccessControlPolicy is a Direct Attached Policy for the Kubernetes Gateway API.
It defines a rule-based policy for enforcing authentication, authorization and performing identity propagation.
---
config:
theme: base
themeVariables:
secondaryColor: '#ffffff'
---
block
columns 7
classDef al_ref_box fill:#F2F2F2,stroke:#555;
classDef al_mgw_box fill:#70991F,stroke:#555;
classDef al_gwapi_box fill:#326CE5,stroke:#555;
classDef al_std_box fill:#808B8F,stroke:#555;
classDef al_self_box fill:#70991F,stroke:#777,stroke-width:5px;
space:2
block:Targets:3
columns 3
HTTPRoute["<a href='../../../gateway-api/http-route/v1'> HTTPRoute </a>"]
space:2
class HTTPRoute al_gwapi_box
end
class Targets al_ref_box
space:2
space:7
space:3
AccessControlPolicy["<a href='../../../microgateway/access-control-policy/v1alpha1'> <b>AccessControlPolicy</b> </a>"]
class AccessControlPolicy al_self_box
space:2
block:Ref:1
columns 1
IdentityPropagation["<a href='../../../microgateway/identity-propagation/v1alpha1'> IdentityPropagation </a>"]
JWT["<a href='../../../microgateway/jwt/v1alpha1'> JWT </a>"]
OIDCRelyingParty["<a href='../../../microgateway/oidc-relying-party/v1alpha1'> OIDCRelyingParty </a>"]
TokenExchange["<a href='../../../microgateway/token-exchange/v1alpha1'> TokenExchange </a>"]
class IdentityPropagation,JWT,OIDCRelyingParty,TokenExchange al_mgw_box
end
class Ref al_ref_box
AccessControlPolicy -- "<i>attaches to</i>" --> Targets
AccessControlPolicy -- "<br><i>references</i>" --> Ref
AccessControlPolicy
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired access control configuration. | object | yes | ||
| status | describes the current status of the AccessControlPolicy. | object | no |
AccessControlPolicy.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| policies | configures access control policies. The first matching policy (from top to bottom) applies. | object[] | yes | ||
| targetRefs | are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy. Support: HTTPRoute. |
object[] | yes |
AccessControlPolicy.spec.policies[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| authorization | configures how requests are authorized. An empty object value {} disables authorization. | object | yes | ||
| identityPropagation | configures how the authenticated user’s identity is communicated to the protected application. | object | no | ||
| requestConditions | defines additional request properties which must all be matched in order for this policy to apply. A policy without request conditions will always match. WARNING: There is currently a limitation that if authentication.oidc is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (pathMapping.logoutPath / pathMapping.redirectPath). |
object | no | ||
| tokenExchange | configures how downstream authentication tokens (e.g. JWT or OIDC Access Token) are exchanged with an OAuth2 Token Exchange Server. | object | no |
AccessControlPolicy.spec.policies[].authorization
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| authentication | specifies that clients need to be authenticated with the provided method. | object | no | jwt{}, oidc{} |
|
| deny | specifies to deny access for all requests matching this policy. | object | no | {} |
|
| ensured | specifies authentication properties to request from the client and which afterwards must be fulfilled in order for the request to be authorized (e.g., an OIDC ACR to enforce 2FA). | object | no | oidc{} |
|
| requireAll | specifies conditions which must all be satisfied for the request to be authorized. | object[] | no | ||
| requireAny | specifies conditions of which at least one must be satisfied for the request to be authorized. | object[] | no |
AccessControlPolicy.spec.policies[].authorization.authentication
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| jwt | configures client authentication using JWT. | object | no | ||
| oidc | configures client authentication using OpenID Connect. | object | no |
AccessControlPolicy.spec.policies[].authorization.authentication.jwt
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| jwtRef | selects the JWT configuration to apply. | object | yes |
AccessControlPolicy.spec.policies[].authorization.authentication.jwt.jwtRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the JWT resource | string | yes |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| introspection | configures how token introspection is performed. An empty object value {} defaults to the always strategy. | object | no | ||
| oidcRelyingPartyRef | configures how the Airlock Microgateway Engine interacts with the OpenID provider. | object | yes | ||
| timeouts | specifies timeouts for OIDC authentication properties. | object | no |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| strategy | defines the behavior for token introspection. | object | no | always{...} |
always{}, periodic{}, random{} |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection.strategy
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| always | strategy defines a strategy for checking every request. | object | no | ||
| periodic | strategy defines a time-based strategy for checking requests. Introspection is non-blocking, concurrent requests proceed without delay. |
object | no | ||
| random | strategy defines a probabilistic strategy for checking the x-th request. Introspection is non-blocking, concurrent requests proceed without delay. |
object | no |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection.strategy.always
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| onError | specifies the behavior for a request if the token introspection returns an error, e.g., timeouts or 5xx errors. Block: The current in-flight request is blocked. InvalidateToken: Behaves as if the token introspection had returned false. This results in an invalidation of the current and requesting of a new token. Pass: Behaves as if the token introspection had returned true. |
enum | no | Block |
Block, InvalidateToken, Pass |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection.strategy.periodic
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| onError | specifies the behavior for a request if the token introspection returns an error, e.g., timeouts or 5xx errors. InvalidateToken: Behaves as if the token introspection had returned false. This results in an invalidation of the current and requesting of a new token. Pass: Behaves as if the token introspection had returned true. |
enum | no | InvalidateToken |
InvalidateToken, Pass |
| period | specifies the minimum time interval between token introspections for requests part of the same session. Once the interval has elapsed, introspection will be performed for the next request in the session. Must be >= ‘1s’. |
string (duration) | yes | See link |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection.strategy.random
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| onError | specifies the behavior for a request if the token introspection returns an error, e.g., timeouts or 5xx errors. InvalidateToken: Behaves as if the token introspection had returned false. This results in an invalidation of the current and requesting of a new token. Pass: Behaves as if the token introspection had returned true. |
enum | no | InvalidateToken |
InvalidateToken, Pass |
| probability | specifies the probability in % with which a request is selected to be introspected. A valid value for probability must be from the range: [ 0.01%,99.99%]. To introspect the token on every request the always strategy must be used. |
string | yes |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.oidcRelyingPartyRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the OIDCRelyingParty resource | string | yes |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.timeouts
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| acrValues | specifies the time window for which a particular ACR remains fulfilled after it has last been included in an ID token. Once the window has elapsed without a new token containing that ACR having been issued (e.g., during token refresh), policies enforcing that ACR value will trigger a re-authentication flow. | string (duration) | no | 10m |
See link |
AccessControlPolicy.spec.policies[].authorization.ensured
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| oidc | specifies properties related to OIDC authentication. | object | no |
AccessControlPolicy.spec.policies[].authorization.ensured.oidc
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| acrInValues | specifies that an ID token satisfying the following conditions must have been issued by the OIDC provider:
acr_values parameter matching containing the specified values in the specified order (order of preference). |
string[] | no | ||
| scopes | specifies OIDC scopes which must have been granted in order for requests to be authorized. If scopes are missing, the client is redirected to the authorization endpoint of the OIDC provider with a scopes parameter including the missing scopes and all previously granted scopes. |
string[] | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientCertificate | specifies a condition on the presented client certificate. If no client certificate is presented, the condition is never satisfied. |
object | no | hash{}, issuer{}, san{}, subject{} |
|
| jwt | specifies a condition on the JWT. | object | no | ||
| oidc | specifies a condition on the result of an OpenID Connect flow. | object | no | ||
| tokenExchange | specifies a condition on the exchanged token. | object | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| hash | specifies a condition on the SHA256 hash/fingerprint of the DER encoded presented client certificate. | object | no | ||
| issuer | specifies a condition on the issuer fields of the presented client certificate. Note: For security reasons, only client certificates passing TLS validation can satisfy this condition. |
object | no | ||
| san | specifies a condition on the subject alternative names of the presented client certificate. Note: For security reasons, only client certificates passing TLS validation can satisfy this condition. |
object | no | ||
| subject | specifies a condition on the subject fields of the presented client certificate. Note: For security reasons, only client certificates passing TLS validation can satisfy this condition. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.hash
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| in | specifies that the hash must match one of these values. | object | yes | values{}, valuesFrom{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.hash.in
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| values | is a list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). |
string[] | no | ||
| valuesFrom | selects the source from which to extract the list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.hash.in.valuesFrom
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| configMapRef | defines the reference to a ConfigMap containing a list of hex-encoded SHA-256 hashes under the key ‘fingerprints.txt’. Each line represents one fingerprint, blank lines and comments beginning with ‘#’ are ignored. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.hash.in.valuesFrom.configMapRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the ConfigMap resource | string | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.issuer
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | selects the issuer field to match. | enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
|
| value | which the selected issuer field must match. If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match. |
object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.issuer.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.issuer.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.san
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| type | selects the SAN type to match. | enum | yes | DNS, Email, IPAddress, URI |
|
| value | which at least one of the subject alternative names of the specified type must match. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.san.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.san.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.subject
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | selects the subject field to match. | enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
|
| value | which the selected subject field must match. If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match. |
object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.subject.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].clientCertificate.subject.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].jwt
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies a condition on a JWT claim. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].jwt.claim
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the claim. | string | yes | ||
| value | of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].jwt.claim.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].jwt.claim.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies a condition on an ID token claim. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc.claim
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the claim. | string | yes | ||
| value | of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc.claim.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc.claim.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].tokenExchange
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies a condition on a JWT or ID token claim of on the exchanged token. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].tokenExchange.claim
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the claim. | string | yes | ||
| value | of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].tokenExchange.claim.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].tokenExchange.claim.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| clientCertificate | specifies a condition on the presented client certificate. If no client certificate is presented, the condition is never satisfied. |
object | no | hash{}, issuer{}, san{}, subject{} |
|
| jwt | specifies a condition on the JWT. | object | no | ||
| oidc | specifies a condition on the result of an OpenID Connect flow. | object | no | ||
| tokenExchange | specifies a condition on the exchanged token. | object | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| hash | specifies a condition on the SHA256 hash/fingerprint of the DER encoded presented client certificate. | object | no | ||
| issuer | specifies a condition on the issuer fields of the presented client certificate. Note: For security reasons, only client certificates passing TLS validation can satisfy this condition. |
object | no | ||
| san | specifies a condition on the subject alternative names of the presented client certificate. Note: For security reasons, only client certificates passing TLS validation can satisfy this condition. |
object | no | ||
| subject | specifies a condition on the subject fields of the presented client certificate. Note: For security reasons, only client certificates passing TLS validation can satisfy this condition. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.hash
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| in | specifies that the hash must match one of these values. | object | yes | values{}, valuesFrom{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.hash.in
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| values | is a list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). |
string[] | no | ||
| valuesFrom | selects the source from which to extract the list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.hash.in.valuesFrom
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| configMapRef | defines the reference to a ConfigMap containing a list of hex-encoded SHA-256 hashes under the key ‘fingerprints.txt’. Each line represents one fingerprint, blank lines and comments beginning with ‘#’ are ignored. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.hash.in.valuesFrom.configMapRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the ConfigMap resource | string | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.issuer
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | selects the issuer field to match. | enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
|
| value | which the selected issuer field must match. If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match. |
object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.issuer.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.issuer.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.san
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| type | selects the SAN type to match. | enum | yes | DNS, Email, IPAddress, URI |
|
| value | which at least one of the subject alternative names of the specified type must match. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.san.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.san.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.subject
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| field | selects the subject field to match. | enum | yes | CommonName, Country, Locality, Organization, OrganizationalUnit, State |
|
| value | which the selected subject field must match. If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match. |
object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.subject.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].clientCertificate.subject.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].jwt
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies a condition on a JWT claim. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].jwt.claim
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the claim. | string | yes | ||
| value | of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].jwt.claim.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].jwt.claim.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies a condition on an ID token claim. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc.claim
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the claim. | string | yes | ||
| value | of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc.claim.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc.claim.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].tokenExchange
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | specifies a condition on a JWT or ID token claim of on the exchanged token. | object | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].tokenExchange.claim
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the claim. | string | yes | ||
| value | of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
object | no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].tokenExchange.claim.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].tokenExchange.claim.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].identityPropagation
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| actions | specifies the propagation actions. | object[] | yes | ||
| onFailure | configures what should happen, if an identity propagation fails. Meaning of the possible values:
|
enum | yes | Pass |
AccessControlPolicy.spec.policies[].identityPropagation.actions[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| identityPropagationRef | selects an IdentityPropagation to apply. | object | yes |
AccessControlPolicy.spec.policies[].identityPropagation.actions[].identityPropagationRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the IdentityPropagation resource | string | yes |
AccessControlPolicy.spec.policies[].requestConditions
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| header | defines the matching headers of a request. | object | no | ||
| invert | indicates whether the request condition should be inverted. | bool | no | false |
true, false |
| mediaType | defines the matching media type from the content-type header of a request. | object | no | ||
| method | defines the matching methods of a request. | enum[] | no | CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE |
|
| path | defines the matching path of a request. | object | no | ||
| remoteIP | defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the remoteIP configuration in the GatewayParameters resource to ensure correct client IP detection. |
object | no |
AccessControlPolicy.spec.policies[].requestConditions.header
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | defines the name of a header. | object | no | ||
| value | defines the value of a header. | object | no |
AccessControlPolicy.spec.policies[].requestConditions.header.name
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.header.name.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].requestConditions.header.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.header.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].requestConditions.mediaType
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.mediaType.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].requestConditions.path
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.path.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
AccessControlPolicy.spec.policies[].requestConditions.remoteIP
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| cidrRanges | defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. |
string[] | yes | ||
| invert | indicates whether the match should be inverted. | bool | no | false |
true, false |
AccessControlPolicy.spec.policies[].tokenExchange
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| actions | specifies the chain of token exchange actions to execute. | object[] | yes | ||
| onFailure | configures what should happen, if the token exchange fails. Meaning of the possible values:
|
enum | no | Block |
Block, Pass |
AccessControlPolicy.spec.policies[].tokenExchange.actions[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| tokenExchangeRef | selects a TokenExchange to perform. | object | yes |
AccessControlPolicy.spec.policies[].tokenExchange.actions[].tokenExchangeRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the TokenExchange resource | string | yes |
AccessControlPolicy.spec.targetRefs[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| group | is the group of the target resource. | string | yes | gateway.networking.k8s.io |
|
| kind | is kind of the target resource. | string | yes | HTTPRoute |
|
| name | is the name of the target resource. | string | yes |
AccessControlPolicy.status
| Field | Description | Type |
|---|---|---|
| ancestors | is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy. |
object[] |
AccessControlPolicy.status.ancestors[]
| Field | Description | Type |
|---|---|---|
| ancestorRef | corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. | object |
| conditions | Conditions describes the status of the Policy with respect to the given Ancestor.
Possible conditions:
|
Condition[] |
| controllerName | is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. |
string |
AccessControlPolicy.status.ancestors[].ancestorRef
| Field | Description | Type |
|---|---|---|
| group | is the group of the referent. When unspecified, “gateway.networking.k8s.io” is inferred. To set the core API group (such as for a “Service” kind referent), Group must be explicitly set to "" (empty string). |
string |
| kind | is kind of the referent. There are two kinds of parent resources with “Core” support: Support for other resources is Implementation-Specific. |
string |
| name | is the name of the referent. | string |
| namespace | is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. Note: This section only applies to the Gateway API experimental channel ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. |
string |
| port | is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It’s not recommended to set Port unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. Note: This section only applies to the Gateway API experimental channel When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. |
int32 |
| sectionName | is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following:
If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. |
string |