GatewayParameters

microgateway.airlock.com/v1alpha1


GatewayParameters defines the configuration settings for deploying a Gateway in a Kubernetes, including options for logging, service type, deployment strategy, and resource management. It can be referenced by either a GatewayClass or a Gateway.
Note: More specific GatewayParameters takes precedence, e.g., if a Gateway references GatewayParameters, the parameters from its associated GatewayClass are completely overridden without merging.

---
config:
  theme: base
  themeVariables:
    secondaryColor: '#ffffff'
---
block
  columns 7

  classDef al_ref_box fill:#F2F2F2,stroke:#555;
  classDef al_mgw_box fill:#70991F,stroke:#555;
  classDef al_gwapi_box fill:#326CE5,stroke:#555;
  classDef al_std_box fill:#808B8F,stroke:#555;
  classDef al_self_box fill:#70991F,stroke:#777,stroke-width:5px; 

  
  
  block:RefBy:1
    columns 1
    Gateway["<a href='../../../gateway-api/gateway/v1'>&nbsp;&nbsp;Gateway&nbsp;&nbsp;</a>"]
    GatewayClass["<a href='../../../gateway-api/gateway-class/v1'>&nbsp;&nbsp;GatewayClass&nbsp;&nbsp;</a>"]
    space:1
    class Gateway,GatewayClass al_gwapi_box
  end
  class RefBy al_ref_box
  space:2
  
  
  GatewayParameters["<a href='../../../microgateway/gateway-parameters/v1alpha1'>&nbsp;&nbsp;<b>GatewayParameters</b>&nbsp;&nbsp;</a>"]
  class GatewayParameters al_self_box
  
  
  space:2
  block:Ref:1
    columns 1
    CustomResponse["<a href='../../../microgateway/custom-response/v1alpha1'>&nbsp;&nbsp;CustomResponse&nbsp;&nbsp;</a>"]
    SessionHandling["<a href='../../../microgateway/session-handling/v1alpha1'>&nbsp;&nbsp;SessionHandling&nbsp;&nbsp;</a>"]
    Telemetry["<a href='../../../microgateway/telemetry/v1alpha1'>&nbsp;&nbsp;Telemetry&nbsp;&nbsp;</a>"]
    class CustomResponse,SessionHandling,Telemetry al_mgw_box
  end
  class Ref al_ref_box
  
  

  RefBy -- "<br><i>references</i>" --> GatewayParameters
  GatewayParameters -- "<br><i>references</i>" --> Ref
apiVersion: microgateway.airlock.com/v1alpha1
kind: GatewayParameters
metadata:
  name: gateway-parameters-example
spec:
  # Enable debug logging
  logging:
    level: debug

  kubernetes:
    # Expose the Gateway using a service with an internet-facing AWS Network Load Balancer
    service:
      type: LoadBalancer
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: external
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing

    deployment:
      replicas: 3

      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxUnavailable: 1

      # Schedule the Airlock Microgateway Engine pods on a specific instance type and across availability zones
      placement:
        nodeSelector:
          node.kubernetes.io/instance-type: m3.medium
        topologySpreadConstraints:
          - maxSkew: 1
            topologyKey: topology.kubernetes.io/zone
            whenUnsatisfiable: ScheduleAnyway

      # Specify Volumes for the Airlock Microgateway Gateway deployment
      volumes:
        - name: vol-1
          emptyDir: {}

      engineContainer:
        # Set resource restrictions to apply to the Airlock Microgateway Engine container
        resources:
          limits:
            cpu: 500m
            memory: 128Mi
          requests:
            cpu: 10m
            memory: 40Mi
        # Specify VolumeMounts for the Airlock Microgateway Engine container
        volumeMounts:
          - name: vol-1
            mountPath: /tmp/data
        securityContext:
          # Specify additional capabilities assigned to the Airlock Microgateway Engine container
          capabilities:
            add: ["BPF"]

  defaults:
    customResponses:
      # Customize all direct error responses sent by the Gateway
      local:
        - statusCodeCondition:
            matcher:
              exact: 401
          customResponseRef:
            name: custom-401
        - statusCodeCondition:
            matcher:
              exact: 404
          customResponseRef:
            name: custom-404
        - statusCodeCondition:
            matcher:
              range:
                start: 400
                end: 499
          customResponseRef:
            name: custom-400
        - statusCodeCondition:
            matcher:
              range:
                start: 500
                end: 599
          customResponseRef:
            name: custom-5xx
      # Replace upstream error responses with custom responses
      upstream:
        - responseConditions:
            statusCode:
              matcher:
                range:
                  start: 400
                  end: 499
          customResponseRef:
            name: upstream-4xx
        - responseConditions:
            statusCode:
              matcher:
                range:
                  start: 500
                  end: 599
          customResponseRef:
            name: upstream-5xx

    sessionHandlingRef:
      name: session-handling-example

    telemetryRef:
      name: telemetry-example

    downstream:
      # Configure 'remoteIP' extraction.
      remoteIP:
        xff:
          numTrustedHops: 1
apiVersion: microgateway.airlock.com/v1alpha1
kind: GatewayParameters
metadata:
  name: default
spec: 
  logging: 
    level: info
  kubernetes: 
    service: 
      type: LoadBalancer
    deployment: 
      placement: {}
      engineContainer: 
        securityContext: 
          capabilities: {}
      automountServiceAccountToken: false
  defaults: 
    customResponses: {}
    downstream: 
      remoteIP: 
        connectionIP: {}
    contentSecurity: 
      unsecured: {}
  features: 
    envoyExtensionPolicyEnabled: false
    insecureTLSAllowed: false
    externalNameServicesAllowed: false
    httpRouteRegexPathMatchEnabled: false
    unrestrictedEnvoyAdminInterface: false
  experimental: 
    tls: 
      backend: {}

GatewayParameters

Field Description Type Required Default Allowed Values
metadata defines the resource’s metadata ObjectMeta yes
spec defines the desired Gateway configuration parameters values. object yes

GatewayParameters.spec

Field Description Type Required Default Allowed Values
defaults specifies default configurations and policies for the Gateway. object no
experimental specifies configurations and policies for the Gateway.
Note: Experimental contains Gateway API settings which are not graduated yet. Therefore, they are subject to change or might be removed in future releases.
object no
features specifies which optional features are enabled for the Gateway. object no
kubernetes defines the configuration for Kubernetes resources provisioned for the Gateway. object no
logging specifies Envoy system logging settings for the Gateway. object no

GatewayParameters.spec.defaults

Field Description Type Required Default Allowed Values
contentSecurity defines the default ContentSecurity configuration for the Gateway. object no unsecured{...} secured{}, unsecured{}
customResponses configures response replacement for the Gateway. object no
downstream defines the downstream configuration for the Gateway. object no
sessionHandlingRef selects the default SessionHandling configuration for the Gateway. object no
telemetryRef selects the default Telemetry configuration (logging, metrics, and tracing) for the Gateway. object no

GatewayParameters.spec.defaults.contentSecurity

Field Description Type Required Default Allowed Values
secured enables WAF processing in general with the default configuration of filter and mutation rules.
This default can be customized on a per-route basis by attaching a ContentSecurityPolicy.
object no {}
unsecured disables all WAF functionality and therefore protection for the upstream applications. object no {}

GatewayParameters.spec.defaults.customResponses

Field Description Type Required Default Allowed Values
local defines a list of rules for customizing direct responses originating from the Gateway itself during its processing (i.e., not from the upstream/backend).

The rules are processed as follows:
  • The first rule (from top to bottom) where the statusCodeCondition matches the local response’s status code determines the custom response to be sent.
  • If no rule matches (or if no local rules are defined), the Gateway will send default responses.
Default error responses, available as text/html, application/json and text/plain (fallback):
  • 401 -> built-in 401 response
  • 403 -> built-in 403 response
  • 404 -> built-in 404 response
  • 429 -> built-in 429 response
  • 4xx -> built-in 400 response (status code preserved for 421, others replaced with 400)
  • 5xx -> built-in 5xx response (status code preserved for 502-504, others replaced with 500)
If you wish to customize all built-in error responses, we recommend at least the following set of rules as a starting point:
local:
  - statusCodeCondition:
      matcher:
        exact: 401
    customResponseRef:
      name: custom-401
  - statusCodeCondition:
      matcher:
        exact: 404
    customResponseRef:
      name: custom-404
  - statusCodeCondition:
      matcher:
        range:
          start: 400
          end: 499
    customResponseRef:
      name: custom-400
  - statusCodeCondition:
      matcher:
        range:
          start: 500
          end: 599
    customResponseRef:
      name: custom-5xx
Examples of local responses sent by the Gateway:
  • 301 | 302 | 303 | 307 | 308 (redirects)
  • 400 (invalid requests, blocked requests, rejected requests due to invalid configuration e.g., invalid OpenAPI spec)
  • 401 (denied by access control, OIDC/JWT authentication errors, token exchange errors)
  • 403 (CSRF protection, wrong scheme)
  • 404 (request does not match any route)
  • 408 (request timeout)
  • 429 (rate limit reached)
  • 500 (invalid route/backend/policy configuration)
  • 502 | 503 (other errors)
  • 504 (backend timeout)
Note: If EnvoyExtensionPolicy is allowed, custom filters may generate arbitrary local responses.
object[] no
upstream defines a list of rules for replacing upstream responses with custom responses.

The rules are processed as follows:
  • The first rule (from top to bottom) where the responseConditions matches the upstream response determines the custom response to be sent.
  • If no rule matches (or if no upstream rules are defined), the unmodified upstream response is forwarded to the client.
object[] no

GatewayParameters.spec.defaults.customResponses.local[]

Field Description Type Required Default Allowed Values
customResponseRef selects the custom response to send. object yes
statusCodeCondition specifies a condition which the status code of the original local response must satisfy in order for this custom response to be sent. object yes

GatewayParameters.spec.defaults.customResponses.local[].customResponseRef

Field Description Type Required Default Allowed Values
name of the CustomResponse resource string yes

GatewayParameters.spec.defaults.customResponses.local[].statusCodeCondition

Field Description Type Required Default Allowed Values
matcher matches one or more status codes. object yes exact{}, range{}

GatewayParameters.spec.defaults.customResponses.local[].statusCodeCondition.matcher

Field Description Type Required Default Allowed Values
exact matches a specific status code. int32 no [100, 599]
range matches an inclusive range of status codes. object no

GatewayParameters.spec.defaults.customResponses.local[].statusCodeCondition.matcher.range

Field Description Type Required Default Allowed Values
end of the range (inclusive). int32 yes [100, 599]
start of the range (inclusive). int32 yes [100, 599]

GatewayParameters.spec.defaults.customResponses.upstream[]

Field Description Type Required Default Allowed Values
customResponseRef selects the custom response to send. object yes
responseConditions specifies conditions which the upstream response must all satisfy in order for this custom response to be sent. object yes

GatewayParameters.spec.defaults.customResponses.upstream[].customResponseRef

Field Description Type Required Default Allowed Values
name of the CustomResponse resource string yes

GatewayParameters.spec.defaults.customResponses.upstream[].responseConditions

Field Description Type Required Default Allowed Values
statusCode specifies a condition on the original upstream response’s status code. object yes

GatewayParameters.spec.defaults.customResponses.upstream[].responseConditions.statusCode

Field Description Type Required Default Allowed Values
matcher matches one or more status codes. object yes exact{}, range{}

GatewayParameters.spec.defaults.customResponses.upstream[].responseConditions.statusCode.matcher

Field Description Type Required Default Allowed Values
exact matches a specific status code. int32 no [100, 599]
range matches an inclusive range of status codes. object no

GatewayParameters.spec.defaults.customResponses.upstream[].responseConditions.statusCode.matcher.range

Field Description Type Required Default Allowed Values
end of the range (inclusive). int32 yes [100, 599]
start of the range (inclusive). int32 yes [100, 599]

GatewayParameters.spec.defaults.downstream

Field Description Type Required Default Allowed Values
remoteIP defines how the remote IP of a client is propagated.
Default: connectionIP: {…}
object no connectionIP{...} connectionIP{}, customHeader{}, proxyProtocol{}, xff{}

GatewayParameters.spec.defaults.downstream.remoteIP

Field Description Type Required Default Allowed Values
connectionIP configures to use the source IP address of the direct downstream connection. object no {}
customHeader specifies to use a custom header for remote IP extraction. object no
proxyProtocol configures to use the proxy protocol connection header for IP extraction. The proxy protocol adds a header to TCP connections to preserve the client’s IP address.
For more details, refer to the protocol specification.
Note: When this field is set, all incoming connections must use the proxy protocol, otherwise, the connection will be closed.
object no
xff configures to use the standard ‘X-Forwarded-For’ header for IP extraction. object no numTrustedHops{...} numTrustedHops{}, trustedCIDRRanges{}

GatewayParameters.spec.defaults.downstream.remoteIP.customHeader

Field Description Type Required Default Allowed Values
headerName specifies the name of the custom header containing the remote IP. string yes
required specifies if the custom header is required. If true and not available the request will be rejected with 403. bool no true true, false

GatewayParameters.spec.defaults.downstream.remoteIP.proxyProtocol

Field Description Type Required Default Allowed Values
version specifies the version of the proxy protocol. If unspecified, all versions are accepted. enum no V1, V2

GatewayParameters.spec.defaults.downstream.remoteIP.xff

Field Description Type Required Default Allowed Values
numTrustedHops specifies to extract the client’s originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry.
Only one of numTrustedHops and trustedCIDRRanges can be set.
Default: 1
int32 no 1 [1, 2147483647]
trustedCIDRRanges specifies the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28 to trust when evaluating the remote IP address to determine the original client’s IP address. When the remote IP address matches a trusted CIDR and the X-Forwarded-For header was sent, each entry in the X-Forwarded-For header is evaluated from right to left and the first non-trusted address is used as the original client address. If all addresses in X-Forwarded-For are within the trusted list, the first (leftmost) entry is used.
Only one of numTrustedHops and trustedCIDRRanges can be set.
string[] no

GatewayParameters.spec.defaults.sessionHandlingRef

Field Description Type Required Default Allowed Values
name of the SessionHandling resource string yes

GatewayParameters.spec.defaults.telemetryRef

Field Description Type Required Default Allowed Values
name of the Telemetry resource string yes

GatewayParameters.spec.experimental

Field Description Type Required Default Allowed Values
tls specifies frontend and backend tls configuration for the entire Gateway.

Note: If .spec.tls.frontend is specified in the Gateway resource, the frontend configuration here in GatewayParameters will be ignored.
Note: If .spec.tls.backend is specified in the Gateway resource, the backend configuration here in GatewayParameters will be ignored.
object no

GatewayParameters.spec.experimental.tls

Field Description Type Required Default Allowed Values
backend describes the TLS configuration for the Gateway when connecting to backends.

Note: This contains only details for the Gateway as a TLS client and does not imply behavior about how to choose which backend should get a TLS connection. That is determined by the presence of a BackendTLSPolicy. More info: https://gateway-api.sigs.k8s.io/reference/api-types/policy/backendtlspolicy/ Note: If .spec.tls.backend is specified in the Gateway resource, this field will be ignored.
object no
frontend describes the TLS configuration when a client connects to the Gateway.

Note: If .spec.tls.frontend is specified in the Gateway resource, this field will be ignored.
object no

GatewayParameters.spec.experimental.tls.backend

Field Description Type Required Default Allowed Values
clientCertificateRef is a reference to an object that contains a Client Certificate under the key ’tls.crt’ and the associated private key ’tls.key’.
It can reference to the standard Kubernetes Secret resource of type ‘kubernetes.io/tls’.
object no

GatewayParameters.spec.experimental.tls.backend.clientCertificateRef

Field Description Type Required Default Allowed Values
group is the group of the referent. For example, “gateway.networking.k8s.io”.
When unspecified or empty string, core API group is inferred.
string no ""
kind is kind of the referent. For example “Secret”. string no Secret
name is the name of the referent. string yes
namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.
string no

GatewayParameters.spec.experimental.tls.frontend

Field Description Type Required Default Allowed Values
default specifies the default client certificate validation configuration for all Listeners handling HTTPS traffic, unless a per-port configuration is defined. object yes
perPort specifies the TLS configuration assigned per port.
Once set, this configuration overrides the default configuration for all Listeners handling HTTPS traffic that match this port.
Each override port requires a unique TLS configuration.
object[] no

GatewayParameters.spec.experimental.tls.frontend.default

Field Description Type Required Default Allowed Values
validation holds configuration information for validating the frontend (client).
Setting this field will result in mutual authentication when connecting to the Gateway.
In browsers this may result in a dialog appearing that requests a user to specify the client certificate.
object no

GatewayParameters.spec.experimental.tls.frontend.default.validation

Field Description Type Required Default Allowed Values
caCertificateRefs contains one or more references to Kubernetes objects (ConfigMap or Secret) that contain TLS certificates of the Certificate Authorities (CA) that can be used as a trust anchor to validate the certificates presented by the client.

The CA certificate must be in a key named ‘ca.crt’.

References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached.
object[] yes
mode defines the mode for validating the client certificate.
There are two possible modes:
  • AllowValidOnly: In this mode, the Gateway will accept connections only if the client presents a valid certificate. This certificate must successfully pass validation against the CA certificates specified in CACertificateRefs.
  • AllowInsecureFallback: In this mode, the Gateway will accept connections even if the client certificate is not presented or fails verification.
This approach delegates client authorization to the backend and introduces a significant security risk. It should be used in testing environments or on a temporary basis in non-testing environments.
enum no AllowValidOnly AllowInsecureFallback, AllowValidOnly

GatewayParameters.spec.experimental.tls.frontend.default.validation.caCertificateRefs[]

Field Description Type Required Default Allowed Values
group is the group of the referent. For example, “gateway.networking.k8s.io”.
When set to the empty string, core API group is inferred.
string yes
kind is kind of the referent. For example “ConfigMap” or “Service”. string yes
name is the name of the referent. string yes
namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.
string no

GatewayParameters.spec.experimental.tls.frontend.perPort[]

Field Description Type Required Default Allowed Values
port indicates the Port Number to which the TLS configuration will be applied.
This configuration will be applied to all Listeners handling HTTPS traffic that match this port.
int64 yes [1, 65535]
tls stores the configuration that will be applied to all Listeners handling HTTPS traffic and matching the given port. object yes

GatewayParameters.spec.experimental.tls.frontend.perPort[].tls

Field Description Type Required Default Allowed Values
validation holds configuration information for validating the frontend (client).
Setting this field will result in mutual authentication when connecting to the Gateway.
In browsers this may result in a dialog appearing that requests a user to specify the client certificate.
object no

GatewayParameters.spec.experimental.tls.frontend.perPort[].tls.validation

Field Description Type Required Default Allowed Values
caCertificateRefs contains one or more references to Kubernetes objects (ConfigMap or Secret) that contain TLS certificates of the Certificate Authorities (CA) that can be used as a trust anchor to validate the certificates presented by the client.

The CA certificate must be in a key named ‘ca.crt’.

References to a resource in a different namespace are invalid UNLESS there is a ReferenceGrant in the target namespace that allows the certificate to be attached.
object[] yes
mode defines the mode for validating the client certificate.
There are two possible modes:
  • AllowValidOnly: In this mode, the Gateway will accept connections only if the client presents a valid certificate. This certificate must successfully pass validation against the CA certificates specified in CACertificateRefs.
  • AllowInsecureFallback: In this mode, the Gateway will accept connections even if the client certificate is not presented or fails verification.
This approach delegates client authorization to the backend and introduces a significant security risk. It should be used in testing environments or on a temporary basis in non-testing environments.
enum no AllowValidOnly AllowInsecureFallback, AllowValidOnly

GatewayParameters.spec.experimental.tls.frontend.perPort[].tls.validation.caCertificateRefs[]

Field Description Type Required Default Allowed Values
group is the group of the referent. For example, “gateway.networking.k8s.io”.
When set to the empty string, core API group is inferred.
string yes
kind is kind of the referent. For example “ConfigMap” or “Service”. string yes
name is the name of the referent. string yes
namespace is the namespace of the referenced object. When unspecified, the local namespace is inferred.

Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.
string no

GatewayParameters.spec.features

Field Description Type Required Default Allowed Values
envoyExtensionPolicyEnabled specifies whether the controller processes EnvoyExtensionPolicy resources for HTTPRoutes attached to the Gateway.
Use EnvoyExtensionPolicy only if the features of Airlock Microgateway and Kubernetes Gateway API do not provide this functionality. If you identify missing features or use cases, please report them to help improve our product.
Note: Invalid or malformed Envoy configurations may prevent the Gateway’s configuration from being updated.
bool no false true, false
externalNameServicesAllowed specifies whether the controller allows Kubernetes Services of type ExternalName to be used as backend references. This setting is disabled by default due to security concerns (CVE-2021-25740).
Allowing ExternalName services may enable workloads to send traffic to destinations they would not otherwise have access to, potentially enabling confused deputy attacks (CVE-2021-25740) and weakening namespace isolation.
Because ExternalName services can reference arbitrary CNAME DNS records, they may also redirect traffic to unintended external targets.
Enable this option with caution. To mitigate risks, ensure TLS validation is enforced for all backends, use trusted DNS resolvers, apply appropriate NetworkPolicies, and separate Gateways serving internal and external traffic.
bool no false true, false
httpRouteRegexPathMatchEnabled specifies whether HTTPRoutes are accepted when using path matching of type RegularExpression.
Google’s RE2 regex engine is used.
Path matching precedence order (from highest to lowest priority):
  1. Exact
  2. RegularExpression (if enabled)
  3. PathPrefix with largest number of characters
The precedence of RegularExpression path matches is determined by the order in which they are defined within a HTTPRoute.
If multiple applicable HTTPRoutes exist, the precedence is determined by the following criteria, in order:
  1. The oldest Route based on creation timestamp
  2. The Route appearing first in alphabetical order by “{namespace}/{name}”
bool no false true, false
insecureTLSAllowed specifies whether the Gateway accepts BackendTLSPolicies that disable certificate validation. Allowing insecure TLS may expose the Gateway to man-in-the-middle attacks and other vulnerabilities.
THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING.
bool no false true, false
unrestrictedEnvoyAdminInterface specifies whether the Gateway exposes all paths of the Envoy admin interface.
By default, access is restricted to a minimal set of read-only endpoints. The admin interface can expose sensitive configuration and operational endpoints (e.g., modifying runtime settings, draining listeners, or retrieving secrets), which may be abused if reachable from untrusted networks.
Enable this option with caution and only for testing or debugging purposes.
bool no false true, false

GatewayParameters.spec.kubernetes

Field Description Type Required Default Allowed Values
deployment configures the Kubernetes Deployment provisioned for the Gateway. object no
service configures the Kubernetes Service provisioned for the Gateway. object no

GatewayParameters.spec.kubernetes.deployment

Field Description Type Required Default Allowed Values
automountServiceAccountToken configures whether a service account token should be automatically mounted. Set this to true only if a sidecar that requires a service account token (e.g., OpenShift ServiceMesh) is injected to the Gateway Deployment. bool no false true, false
engineContainer configures the container running the Airlock Microgateway Engine. object no
imagePullSecrets configures the list of references to secrets in the same namespace, which will be used in the Gateway deployment for pulling any of the images.
More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
LocalObjectReference[] no
placement configures scheduling of the Airlock Microgateway Engine pod. object no
replicas sets the number of Gateway Deployment replicas.
If undefined, the number of replicas either defaults to 1 and is managed by the Kubernetes control plane, or is managed by a HorizontalPodAutoscaler (HPA) targeting the Gateway deployment.
int32 no [1, 2147483647]
strategy configures the deployment strategy which is used to replace existing Airlock Microgateway Engine pods with new ones.
If undefined, default settings (RollingUpdate) are applied.
DeploymentStrategy no
volumes specify the list of Kubernetes Volumes that can be mounted by EngineContainer belonging to the Gateway deployment. Volume[] no

GatewayParameters.spec.kubernetes.deployment.engineContainer

Field Description Type Required Default Allowed Values
resources specifies the compute resources required for this container.
If undefined, default resource settings are applied: {"requests":{"cpu":"100m","memory":"256Mi"}}.
Setting this field overrides the defaults entirely, values are not merged.
See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for details.
ResourceRequirements no
securityContext specifies the security configuration that will be applied to the EngineContainer. object no
volumeMounts specifies the list of volumes to mount into the EngineContainer’s filesystem. Volume[] no

GatewayParameters.spec.kubernetes.deployment.engineContainer.securityContext

Field Description Type Required Default Allowed Values
capabilities specifies the set of POSIX capabilities of the EngineContainer.
All capabilities are dropped by default.
object no

GatewayParameters.spec.kubernetes.deployment.engineContainer.securityContext.capabilities

Field Description Type Required Default Allowed Values
add specifies the POSIX capabilities that should be granted to the EngineContainer.
Since all capabilities are dropped first, this list represents the full set of capabilities the container will run with.
Capabilities[] no

GatewayParameters.spec.kubernetes.deployment.placement

Field Description Type Required Default Allowed Values
affinity specifies affinity and anti-affinity rules for the Airlock Microgateway Engine pods. Affinity no
nodeSelector is a selector which must be true for the Airlock Microgateway Engine pods to fit on a node. map[string]string no
tolerations allows scheduling of Airlock Microgateway Engine pods on tainted nodes. Toleration[] no
topologySpreadConstraints describes how the Airlock Microgateway Engine pods ought to spread across topology domains (e.g., nodes, zones).
If the label selector of the constraints is undefined, the label selector of the deployment will be used instead.
TopologySpreadConstraint[] no

GatewayParameters.spec.kubernetes.service

Field Description Type Required Default Allowed Values
allocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer.
If undefined, the default is true. It may be set to false if the cluster load-balancer does not rely on NodePorts.
bool no true, false
annotations specifies additional annotations for the Service, e.g., for configuring cloud LoadBalancers. map[string]string no
externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, and LoadBalancer IPs).

Meaning of the possible values:
  • Local: preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints).
  • Cluster: routes traffic to all endpoints. Be aware that this may break client IP detection and dependent features (e.g., deny rule exceptions or access control policies with request conditions matching remote IPs).
If undefined, the Local policy is applied.
ServiceExternalTrafficPolicy no Cluster, Local
loadBalancerClass describes which load balancer implementation is responsible for this Service.
If undefined, the default load balancer implementation is used (typically provided by the cloud provider).

Note: This field is immutable once the service type is LoadBalancer (which it is by default). To set loadBalancerClass, ensure that the GatewayParameters configuring a loadBalancerClass are already referenced by the Gateway during its initial creation.
If possible, it is recommended to avoid setting loadBalancerClass and configuring the LoadBalancer over annotations instead.

WARNING:
  • Changing loadBalancerClass once the Gateway has already been created is only possible by temporarily switching the service type to ClusterIP or NodePort and then switching it back to LoadBalancer while simultaneously configuring a loadBalancerClass. THIS MAY RESULT IN A CHANGE IN THE LOAD BALANCER IP / TRAFFIC DISRUPTION.
  • Any other way of changing loadBalancerClass (e.g., by removing or adding a GatewayParameters reference with loadBalancerClass configured to an already running Gateway) is not supported and may lead to reconciliation errors.
string no
sessionAffinity describes how client requests are associated with service endpoints.

Meaning of the possible values:
  • ClientIP: ensures that requests from the same client IP address are routed to the same endpoint.
  • None: disables session affinity, allowing requests to be routed to any available endpoint.
If undefined, sessionAffinity defaults to None.
ServiceAffinity no ClientIP, None
sessionAffinityConfig contains the configurations of session affinity. ServiceAffinityConfig no
trafficDistribution offers a way to express preferences for how traffic is distributed to Service endpoints.
If undefined, default routing is applied.
enum no PreferClose, PreferSameNode, PreferSameZone
type specifies how the Service of the Gateway is exposed. ServiceType no LoadBalancer ClusterIP, LoadBalancer, NodePort

GatewayParameters.spec.logging

Field Description Type Required Default Allowed Values
level specifies the logging level for the Envoy system logs of the Airlock Microgateway Engine. enum no info off, critical, error, warn, info, debug, trace