Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

GatewayPolicy

Written by
Updated at October 30, 2025

GatewayPolicy is a Gwin custom resource for configuring gateway-level policies in Yandex Application Load Balancer. It allows you to define load balancer settings, logging configuration, autoscaling, listener settings, and HTTP router options that apply to Gateway resources.

Cheatsheet

Note

Specification provided below is not valid configuration.

It's just demonstration of all GatewayPolicy fields.

apiVersion: gwin.yandex.cloud/v1
kind: GatewayPolicy
metadata:
  name: example-gateway-policy
  namespace: example-ns
spec:
  # Target Gateway resources
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: example-gateway
  # Or use label selector
  selector:
    matchLabels:
      app: my-gateway
    matchExpressions:
      - key: environment
        operator: In
        values: ["production", "staging"]
  # Gateway policy configuration
  policy:
    # Load balancer configuration
    subnets: ["subnet-id-1", "subnet-id-2"]  # where to place balancer
    securityGroups: ["sg-id-1", "sg-id-2"]  # network access control
    allowZonalShift: true  # enable failover between zones
    
    # Cloud Logging
    logs:
      logGroupID: "log-group-id-1"  # where to send logs
      disable: false  # enable logging
      discardRule:
        rule1:  # custom rule name
          httpCodes: [404, 500]  # skip these status codes
          httpCodeIntervals: ["HTTP_4XX", "HTTP_5XX"]  # skip error ranges
          grpcCodes: ["INTERNAL", "UNIMPLEMENTED"]  # skip gRPC errors
          discardPercent: 10  # drop 10% of logs
    
    # Autoscaling
    autoScale:
      minZoneSize: 2  # min instances per zone
      maxSize: 10  # max total instances
    
    # Zone traffic control
    zone:
      ru-central1-a:
        receiveTraffic: false  # disable this zone
      ru-central1-b:
        receiveTraffic: true  # enable this zone
    
    # Listener configuration (applies to all listeners)
    listeners:
      http:
        protocolSettings:
          allowHTTP10: true  # support old HTTP
          http2Options:
            maxConcurrentStreams: 100  # limit connections
      stream:
        idleTimeout: "300s"  # close idle connections
      # HTTP router configuration
      rbac:
        action: "ALLOW"  # access control policy
        principals:
          admin:  # principal group
            check-token:  # principal name
              header:
                name: "X-Api-Token"
                exact: "admin123"
            check-ip:
              ip:
                remoteIp: "10.0.0.0/8"
    
    # Specific listener configuration
    listener:
      http-listener:  # listener name
        http:
          protocolSettings:
            allowHTTP10: true  # per-listener HTTP setting
      stream-listener:
        stream:
          idleTimeout: "300s"  # per-listener timeout
status:
  conditions:
    - type: "Ready"
      status: "True"
      reason: "PolicyApplied"
  attachedGateways: 2
Field Description
metadata ObjectMeta
Standard Kubernetes metadata.
spec GatewayPolicySpec
Gateway policy specification.
status GatewayPolicyStatus
Gateway policy status.

GatewayPolicySpec

GatewayPolicySpec defines the desired state of GatewayPolicy.

Appears in: GatewayPolicy

Field Description
targetRefs []LocalObjectReference
References to Gateway resources that this policy should apply to.
selector LabelSelector
Label selector for Gateway resources that this policy should apply to.
policy Gateway
Gateway policy configuration.

LocalObjectReference

Reference to a Kubernetes resource in the same namespace.

Appears in: GatewayPolicySpec

Field Description
group string
API group of the referenced resource.
Example: gateway.networking.k8s.io
kind string
Kind of the referenced resource.
Example: Gateway
name string
Name of the referenced resource.
Example: my-gateway

LabelSelector

Label-based selection criteria for resources.

Appears in: GatewayPolicySpec

Field Description
matchLabels map[string]string
Simple label matching requirements.
Example: app: my-app
matchExpressions []LabelSelectorRequirement
Advanced label matching expressions.

LabelSelectorRequirement

Advanced label matching expression with operator and values.

Appears in: LabelSelector

Field Description
key string
Label key to match.
Example: app
operator string
Matching operator.
Example: In, NotIn, Exists.
values []string
Values to match against.
Example: ["my-app"]

Gateway

Gateway policy configuration that applies to load balancer and listener settings.

Appears in: GatewayPolicySpec

Field Description
subnets []string
Subnets of the zones where load balancer will be instantiated.
Example: ["subnet-id-1", "subnet-id-2"]
securityGroups []string
Security groups of load balancer.
Example: ["sg-id-1", "sg-id-2"]
logs LogOptions
Cloud Logging settings of the application load balancer.
autoScale AutoScalePolicy
Autoscaling settings of the application load balancer.
zone map[string]BalancerZone
Zone-specific traffic control settings.
allowZonalShift bool
Specifies whether application load balancer is available to zonal shift.
Example: true
listener map[string]GatewayListener
Specific listener configuration by listener name.
listeners GatewayListener
Common listener configuration for all listeners.

AutoScalePolicy

Scaling settings of the application load balancer. The scaling settings relate to a special internal instance group which facilitates the balancer's work. Instances in this group are called resource units.

Appears in: Balancer

Field Description
minZoneSize int
Lower limit for the number of resource units in each availability zone. The minimum value is 2.
Example: 2
maxSize int
Upper limit for the total number of resource units across all availability zones. If the value is 0, there is no upper limit.
Example: 10

BalancerZone

Zone-specific traffic control settings.

Appears in: Balancer

Field Description
receiveTraffic bool
Enables the load balancer node in the specified availability zone.
Example: true

LogOptions

Cloud logging settings of the application load balancer.

Appears in: Balancer

Field Description
logGroupID string
Cloud Logging log group ID to store access logs. If not set then logs will be stored in default log group for the folder where load balancer located.
Example: log-group-id-1
disable bool
Do not send logs to Cloud Logging log group.
Example: false
discardRule map[string]LogDiscardRule
Log discard rules where each key represents a user-defined ID.

LogDiscardRule

Log discard rule configuration.

Appears in: LogOptions

Field Description
httpCodes []int
HTTP codes that should be discarded.
Example: [404, 500]
httpCodeIntervals []string
Groups of HTTP codes like 4xx that should be discarded.
Example: ["HTTP_4XX", "HTTP_5XX"]
grpcCodes []string
gRPC codes that should be discarded.
Example: ["INTERNAL", "UNIMPLEMENTED"]
discardPercent int
Percent of logs to be discarded: 0 — keep all, 100 — discard all.
Example: 10

GatewayListener

Gateway listener configuration that combines listener and HTTP router settings.

Appears in: Gateway

Field Description
http ListenerHTTP
HTTP specific listener settings.
stream ListenerStream
Stream specific listener settings.
rbac RBAC
RBAC access control configuration.

Listener

Listener protocol-specific settings.

Appears in: GatewayListener

Field Description
http ListenerHTTP
HTTP specific listener settings.
stream ListenerStream
Stream specific listener settings.

ListenerHTTP

HTTP specific listener settings.

Appears in: Listener

Field Description
protocolSettings HTTPProtocolSettings
HTTP protocol configuration.

HTTPProtocolSettings

HTTP protocol configuration settings.

Appears in: ListenerHTTP

Field Description
allowHTTP10 bool
Enables support for incoming HTTP/1.0 and HTTP/1.1 requests and disables it for HTTP/2 requests.
Example: true
http2Options HTTP2Options
HTTP/2 settings. If specified, incoming HTTP/2 requests are supported by the listener.

HTTP2Options

HTTP/2 protocol options.

Appears in: HTTPProtocolSettings

Field Description
maxConcurrentStreams int
Maximum number of concurrent HTTP/2 streams in a connection
Example: 100

ListenerStream

Stream specific listener settings.

Appears in: Listener

Field Description
idleTimeout string
The idle timeout is duration during which no data is transmitted or received on either the upstream or downstream connection.
Example: 300s

RouteOptions

Route options for security and access control.

Appears in: GatewayListener

Field Description
rbac RBAC
RBAC access control configuration.

RBAC

Role-Based Access Control configuration.

Appears in: RouteOptions

Field Description
action string
The action to take if a principal matches. Enum: ALLOW, DENY.
Example: ALLOW
principals map[string]map[string]Principal
A match occurs when at least one principal group matches the request. Each principal group contains AND conditions.

Principal

Principal configuration for RBAC matching.

Appears in: RBAC

Field Description
header HeaderPrincipal
A header (or pseudo-header such as :path or :method) of the incoming HTTP request.
ip IPPrincipal
A CIDR block or IP that describes the request remote/origin address.
any bool
Match any request.
Example: true

HeaderPrincipal

Header-based principal matching.

Appears in: Principal

Field Description
name string
The name of the header to match.
Example: X-Api-Token
regex string
Regular expression match for header value.
Example: ^admin.*
exact string
Exact match for header value.
Example: admin123
prefix string
Prefix match for header value.
Example: Bearer

IPPrincipal

IP-based principal matching.

Appears in: Principal

Field Description
remoteIp string
CIDR block or IP address to match.
Example: 10.0.0.0/8

GatewayPolicyStatus

GatewayPolicyStatus defines the observed state of GatewayPolicy.

Appears in: GatewayPolicy

Field Description
conditions []Condition
Current state conditions of the gateway policy.
attachedGateways int32
Number of currently attached gateways.
Previous
Gateway
Next
GRPCRoute