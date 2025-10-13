RoutePolicy
RoutePolicy is a Gwin custom resource for configuring route-level policies in Yandex Application Load Balancer. It allows you to define backend settings, routing configuration, virtual host options, and security policies that apply to HTTPRoute, GRPCRoute, and TLSRoute resources.
- Cheatsheet
- RoutePolicySpec
- LocalObjectReference
- LabelSelector
- LabelSelectorRequirement
- Route
- RouteRule
- BackendGroup
- Backend
- HTTPBackend
- GRPCBackend
- StreamBackend
- LoadBalancingConfig
- HealthCheck
- HealthcheckHTTP
- HealthcheckGRPC
- HealthcheckStream
- HealthCheckTransportSettings
- BackendTLS
- BackendTLSTrustedCA
- SessionAffinity
- SessionAffinityConnection
- SessionAffinityCookie
- SessionAffinityHeader
- ALBRoute
- RouteALBHTTP
- VirtualHost
- RateLimit
- RateLimitLimit
- RBAC
- AndPrincipals
- Principal
- HeaderPrincipal
- IPPrincipal
- RoutePolicyStatus
Cheatsheet
Note
Specification provided below is not valid configuration.
It's just demonstration of all
RoutePolicy fields.
apiVersion: gwin.yandex.cloud/v1
kind: RoutePolicy
metadata:
name: example-route-policy
namespace: example-ns
spec:
# Target Route resources
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: example-http-route
- group: gateway.networking.k8s.io
kind: GRPCRoute
name: example-grpc-route
# Or use label selector
selector:
matchLabels:
app: my-routes
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
# Route policy configuration
policy:
# Common rules settings (applies to all rules)
rules:
# Backend group configuration
backends:
http:
useHTTP2: true # enable HTTP/2 to backends
grpc: {} # gRPC-specific settings
stream:
enableProxy: true # enable proxy protocol
keepConnectionsOnHostHealthFailure: false # drop failed connections
balancing:
mode: "ROUND_ROBIN" # load balancing algorithm
localityAwareRouting: 80 # prefer same zone
strictLocality: false # allow cross-zone routing
panicThreshold: 50 # panic mode threshold
# Health checks
hc:
timeout: "5s" # health check timeout
interval: "10s" # check interval
healthyThreshold: 2 # checks to mark healthy
unhealthyThreshold: 3 # checks to mark unhealthy
port: 8080 # health check port
http:
path: "/health" # HTTP health check path
host: "health.example.com" # Host header
useHTTP2: false # use HTTP/1.1 for checks
expectedStatuses: [200, 202] # healthy status codes
grpc:
serviceName: "health.HealthService" # gRPC service
stream:
send: "PING" # TCP check data to send
receive: "PONG" # expected TCP response
# Health check transport settings
transportSettings:
plaintext: true # use plaintext for health checks
tls:
sni: "health.example.com" # SNI for health check TLS
trustedCA:
id: "health-cert-123" # health check TLS cert ID
# Backend TLS configuration
tls:
sni: "backend.example.com" # SNI for TLS
trustedCA:
id: "cert-123456" # cloud certificate ID
# Session affinity
sessionAffinity:
connection:
sourceIP: true # IP-based affinity
cookie:
name: "session" # cookie name
ttl: "3600s" # cookie lifetime
header:
name: "X-Session-ID" # header-based affinity
# Route timeouts
timeout: "60s" # overall connection timeout
idleTimeout: "300s" # idle connection timeout
# HTTP specific settings
http:
upgradeTypes: ["websocket"] # supported upgrade protocols
# Security
securityProfileID: "security-profile-1" # WAF profile for routes
rbac:
action: "ALLOW" # default RBAC action
principals:
admin:
check-token:
header:
name: "authorization"
exact: "Bearer admin123"
check-ip:
ip:
remoteIp: "10.0.0.0/8"
# Specific rule settings (overrides common settings)
rule:
api-rule: # rule name from HTTPRoute
backends:
balancing:
mode: "LEAST_REQUEST" # per-rule balancing
...
# Common hosts settings (applies to all hosts)
hosts:
securityProfileID: "host-security-profile-1" # WAF profile for hosts
rateLimit:
allRequests:
perSecond: 100 # global rate limit
perMinute: 6000 # global rate limit
requestsPerIP:
perSecond: 10 # per-IP rate limit
perMinute: 600 # per-IP rate limit
rbac:
action: "DENY" # host-level RBAC action
principals:
blocked:
bad-ip:
ip:
remoteIp: "192.168.1.0/24"
# Specific host settings (overrides common settings)
host:
"api.example.com": # specific hostname
securityProfileID: "api-host-security" # per-host WAF
...
status:
conditions:
- type: "Ready"
status: "True"
reason: "PolicyApplied"
attachedRoutes: 5
|Field
|Description
|metadata
|ObjectMeta
Standard Kubernetes metadata.
|spec
|RoutePolicySpec
Route policy specification.
|status
|RoutePolicyStatus
Route policy status.
RoutePolicySpec
RoutePolicySpec defines the desired state of RoutePolicy.
Appears in: RoutePolicy
|Field
|Description
|targetRefs
|[]LocalObjectReference
References to Route resources (HTTPRoute, GRPCRoute, TLSRoute) that this policy should apply to.
|selector
|LabelSelector
Label selector for Route resources that this policy should apply to.
|policy
|Route
Route policy configuration.
LocalObjectReference
Reference to a local Kubernetes object.
Appears in: RoutePolicySpec
|Field
|Description
|group
|string
API group of the target resource.
Example:
gateway.networking.k8s.io
|kind
|string
Kind of the target resource.
Example:
HTTPRoute
|name
|string
Name of the target resource.
Example:
example-http-route
LabelSelector
Label selector for selecting resources by labels.
Appears in: RoutePolicySpec
|Field
|Description
|matchLabels
|map[string]string
Map of key-value pairs for exact label matching.
Example:
app: my-routes
|matchExpressions
|[]LabelSelectorRequirement
List of label selector requirements.
LabelSelectorRequirement
Label selector requirement for advanced label matching.
Appears in: LabelSelector
|Field
|Description
|key
|string
Label key that the selector applies to.
Example:
environment
|operator
|string
Operator for the requirement. Options:
In,
NotIn,
Exists,
DoesNotExist.
Example:
In
|values
|[]string
Array of string values for
In and
NotIn operators.
Example:
["production", "staging"]
Route
Route policy configuration that applies to routing rules and virtual hosts.
Appears in: RoutePolicySpec
|Field
|Description
|rules
|RouteRule
Common rules settings that apply to all route rules.
|rule
|map[string]RouteRule
Specific rules settings where key is the rule name.
|hosts
|VirtualHost
Common hosts settings that apply to all virtual hosts.
|host
|map[string]VirtualHost
Specific hosts settings where key is the hostname.
RouteRule
Route rule configuration that combines backend group and route settings.
Appears in: Route
|Field
|Description
|backends
|Backend
Backend configuration settings.
|sessionAffinity
|SessionAffinity
Session affinity configuration for the backend group.
|timeout
|string
Overall timeout for HTTP connection between load balancer and backend. Default:
60s.
Example:
60s
|idleTimeout
|string
Idle timeout for HTTP connection.
Example:
300s
|http
|RouteALBHTTP
HTTP specific route options.
|securityProfileID
|string
Security profile ID for route-level protection.
Example:
security-profile-1
|rbac
|RBAC
RBAC access control configuration.
Backend
Backend configuration for protocol-specific settings, load balancing, health checks, and TLS.
Appears in: RouteRule
|Field
|Description
|http
|HTTPBackend
HTTP specific backend settings.
|grpc
|GRPCBackend
gRPC specific backend settings.
|stream
|StreamBackend
TCP stream specific backend settings.
|balancing
|LoadBalancingConfig
Load balancing configuration for the backend.
|hc
|HealthCheck
Health check configuration.
|tls
|BackendTLS
TLS settings for backend connections.
HTTPBackend
HTTP specific backend settings.
Appears in: Backend
|Field
|Description
|useHTTP2
|bool
Enables HTTP/2 usage in connections between load balancer nodes and backend targets. Default:
false.
Example:
true
GRPCBackend
gRPC specific backend settings.
Appears in: Backend
Reserved for future gRPC-specific settings.
StreamBackend
TCP stream specific backend settings.
Appears in: Backend
|Field
|Description
|enableProxy
|bool
If set, proxy protocol will be enabled for this backend.
Example:
true
|keepConnectionsOnHostHealthFailure
|bool
If a backend host becomes unhealthy, keep connections to the failed host.
Example:
false
LoadBalancingConfig
Load balancing configuration for backends.
Appears in: Backend
|Field
|Description
|panicThreshold
|int
Threshold for panic mode (percentage). If healthy backends drop below this threshold, traffic routes to all backends. Set to
0 to disable panic mode.
Example:
50
|localityAwareRouting
|int
Percentage of traffic sent to backends in the same availability zone. Remaining traffic is divided equally between other zones.
Example:
90
|strictLocality
|bool
Send traffic only to backends in the same availability zone. If
true,
localityAwareRouting is ignored.
Example:
false
|mode
|string
Load balancing mode. Options:
ROUND_ROBIN,
LEAST_REQUEST,
RANDOM,
RING_HASH,
MAGLEV_HASH.
Example:
ROUND_ROBIN
HealthCheck
Health check configuration for monitoring backend health.
Appears in: Backend
|Field
|Description
|timeout
|string
Health check timeout — time allowed for the target to respond.
Example:
5s
|interval
|string
Base interval between consecutive health checks.
Example:
10s
|healthyThreshold
|int
Number of consecutive successful checks to mark target as healthy. Default:
0 (1 check required).
Example:
2
|unhealthyThreshold
|int
Number of consecutive failed checks to mark target as unhealthy. Default:
0 (1 check required).
Example:
3
|port
|int
Port used for health checks. If not specified, backend port is used.
Example:
8080
|http
|HealthcheckHTTP
HTTP-specific health check settings.
|grpc
|HealthcheckGRPC
gRPC-specific health check settings.
|stream
|HealthcheckStream
TCP stream-specific health check settings.
|transportSettings
|HealthCheckTransportSettings
Optional transport protocol for health checks.
HealthcheckHTTP
HTTP-specific health check settings.
Appears in: HealthCheck
|Field
|Description
|host
|string
Value for the HTTP/1.1
Host header or HTTP/2
:authority pseudo-header.
Example:
health.example.com
|path
|string
HTTP path used in requests to targets.
Example:
/health
|useHTTP2
|bool
Enables HTTP/2 usage in health checks. Default:
false.
Example:
true
|expectedStatuses
|[]int
List of HTTP response statuses considered healthy. Default:
[200].
Example:
[200, 202, 204]
HealthcheckGRPC
gRPC-specific health check settings.
Appears in: HealthCheck
|Field
|Description
|serviceName
|string
Name of the gRPC service to be checked. If not specified, overall health is checked.
Example:
health.v1.HealthService
HealthcheckStream
TCP stream-specific health check settings.
Appears in: HealthCheck
|Field
|Description
|send
|string
Message sent to targets during TCP data transfer. If not specified, no data is sent.
Example:
PING
|receive
|string
Data that must be contained in received messages for successful health check. If not specified, no messages are expected.
Example:
PONG
HealthCheckTransportSettings
Transport protocol settings for health checks.
Appears in: HealthCheck
|Field
|Description
|plaintext
|bool
Use plaintext protocol for health checks. Set to
true to force HTTP health checks even for HTTPS backends.
Example:
true
|tls
|BackendTLS
TLS settings for health checks. Use when health checks require different TLS configuration than backend.
BackendTLS
TLS settings for backend connections.
Appears in: Backend, HealthCheckTransportSettings
|Field
|Description
|sni
|string
Server Name Indication (SNI) string for TLS connections.
Example:
backend.example.com
|trustedCA
|BackendTLSTrustedCA
Validation context for TLS connections.
BackendTLSTrustedCA
Trusted CA configuration for TLS validation.
Appears in: BackendTLS
|Field
|Description
|id
|string
Cloud certificate ID.
Example:
fpq6gvvm6piu********
|bytes
|string
X.509 certificate contents in PEM format.
Example:
-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----
SessionAffinity
Session affinity configuration for routing requests from the same client to the same backend.
Appears in: RouteRule
|Field
|Description
|connection
|SessionAffinityConnection
Connection-based session affinity (by client IP).
|cookie
|SessionAffinityCookie
Cookie-based session affinity.
|header
|SessionAffinityHeader
HTTP header-based session affinity.
SessionAffinityConnection
Connection-based session affinity configuration.
Appears in: SessionAffinity
|Field
|Description
|sourceIP
|bool
Use client IP address for session affinity.
Example:
true
SessionAffinityCookie
Cookie-based session affinity configuration.
Appears in: SessionAffinity
|Field
|Description
|name
|string
Name of the cookie used for session affinity.
Example:
session-cookie
|ttl
|string
Maximum age of generated session cookies. Set to
0 for session cookies (deleted on client restart). If not set, balancer only uses incoming cookies.
Example:
3600s
SessionAffinityHeader
HTTP header-based session affinity configuration.
Appears in: SessionAffinity
|Field
|Description
|name
|string
Name of the HTTP header field used for session affinity.
Example:
X-Session-ID
ALBRoute
Application Load Balancer route configuration.
Appears in: RouteRule
|Field
|Description
|timeout
|string
Overall timeout for HTTP connection between load balancer and backend. Default:
60s.
Example:
60s
|idleTimeout
|string
Idle timeout for HTTP connection.
Example:
300s
|http
|RouteALBHTTP
HTTP specific route options.
|securityProfileID
|string
Security profile ID for route-level protection.
Example:
security-profile-1
|rbac
|RBAC
RBAC access control configuration.
RouteALBHTTP
HTTP-specific route configuration.
Appears in: ALBRoute, RouteRule
|Field
|Description
|upgradeTypes
|[]string
Supported values for HTTP
Upgrade header.
Example:
["websocket"]
VirtualHost
Virtual host configuration for rate limiting and access control.
Appears in: Route
|Field
|Description
|securityProfileID
|string
Security profile ID for host-level protection.
Example:
host-security-profile-1
|rbac
|RBAC
RBAC access control configuration.
|rateLimit
|RateLimit
Rate limit configuration applied for a whole virtual host.
RateLimit
Rate limit configuration applied to virtual hosts.
Appears in: VirtualHost
|Field
|Description
|allRequests
|RateLimitLimit
Rate limit configuration applied to all incoming requests.
|requestsPerIP
|RateLimitLimit
Rate limit configuration applied separately for each set of requests grouped by client IP address.
RateLimitLimit
Rate limit configuration with time-based limits.
Appears in: RateLimit
|Field
|Description
|perMinute
|int
Limit value specified with per minute time unit.
Example:
6000
|perSecond
|int
Limit value specified with per second time unit.
Example:
100
RoutePolicyStatus
RoutePolicyStatus defines the observed state of RoutePolicy.
Appears in: RoutePolicy
|Field
|Description
|conditions
|[]Condition
Current state conditions of the route policy.
|attachedRoutes
|int32
Number of currently attached routes.
RBAC
RBAC (Role-Based Access Control) configuration for controlling access to routes and hosts.
Appears in: RouteRule, ALBRoute, VirtualHost
|Field
|Description
|action
|string
Action to take when principals match. Options:
ALLOW,
DENY.
Example:
ALLOW
|principals
|map[string]AndPrincipals
Map of principal groups where each group contains multiple principals combined with AND logic.
AndPrincipals
Map of principals that are combined with AND logic within a group.
Appears in: RBAC
|Field
|Description
|key
|Principal
Principal identifier mapped to principal configuration.
Principal
Principal configuration for RBAC matching.
Appears in: AndPrincipals
|Field
|Description
|header
|HeaderPrincipal
Header-based principal matching.
|ip
|IPPrincipal
IP-based principal matching.
|any
|bool
Match any request.
Example:
true
HeaderPrincipal
Header-based principal matching configuration.
Appears in: Principal
|Field
|Description
|name
|string
Name of the header to match.
Example:
authorization
|regex
|string
Regular expression pattern for header value matching.
Example:
^Bearer .*
|exact
|string
Exact header value match.
Example:
Bearer admin123
|prefix
|string
Header value prefix match.
Example:
Bearer
IPPrincipal
IP-based principal matching configuration.
Appears in: Principal
|Field
|Description
|remoteIp
|string
IP address or CIDR block for matching client IP.
Example:
10.0.0.0/8