Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

TLSRoute resource fields

Written by
Updated at January 26, 2026

The TLSRoute resource sets traffic routing rules for Kubernetes services (Service resources) operating as backends. TLSRoute receives incoming traffic from those Gateway resources whose requirements it meets.

TLSRoute is designed for application developers. Cluster operators should use the Gateway resource.

TLSRoute is a Kubernetes Gateway API project resource. Below, we describe its fields and annotations used by the Application Load Balancer Gateway API. For configuration details, see the Kubernetes Gateway API reference.

TLSRoute

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata: <ObjectMeta>
spec: <TLSRouteSpec>

Field

Value / Type

Description

apiVersion

gateway.networking.k8s.io/v1alpha2

This is a required field.
Kubernetes API version.

kind

TLSRoute

This is a required field.
Resource type.

metadata

ObjectMeta

This is a required field.
Resource metadata.

spec

TLSRouteSpec

This is a required field.
Resource specification.
Example
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
  name: sample-route
  namespace: route-namespace
spec:
  parentRefs:
  - name: sample-gateway
    sectionName: sample-listener
    namespace: gateway-namespace
  hostnames:
  - "sample.example.com"
  rules:
  - backendRefs:
    - name: sample-service
      port: 80

ObjectMeta

name: <string>
namespace: <string>

Field

Value / Type

Description

name

string

This is a required field.
Resource name.

Do not mistake this name for the Application Load Balancer route name.

namespace

string

Namespace the resource belongs to.

The default value is default.

TLSRouteSpec

parentRefs: <[]ParentReference>
hostnames: <[]Hostname>
rules: <[]TLSRouteRule>

Field

Value / Type

Description

parentRefs

[]ParentReference

This is a required field.
List of Gateway resources or their listeners associated with the TLSRoute.

For the TLSRoute to receive Gateway traffic, it must comply with the rules specified in its configuration, i.e., the spec.listeners.allowedRoutes field.

hostnames

[]Hostname

Domain names matching the SNI value in the ClientHello TLS handshake message.

To match all subdomains at any level, use a wildcard * in place of the first-level domain name. Wildcard domain values must be quoted.

For example, "*.example.com" matches foo.example.com, foo-bar.example.com, foo.bar.example.com, and foo.bar.baz.example.com, but not example.com.

Wildcards must replace complete domain levels; for example, *foo.example.com is invalid.

rules

[]TLSRouteRule

This is a required field.
Request routing rules.

ParentReference

name: <string>
namespace: <string>
sectionName: <string>

Field

Value / Type

Description

name

string

This is a required field.
Gateway resource name.

namespace

string

Namespace the Gateway resource belongs to.

By default, it matches the TLSRoute resource namespace (the metadata.namespace field).

sectionName

string

Name of the listener specified in the Gateway resource.

TLSRouteRule

backendRefs:
  - name: <string>
    namespace: <string>
    port: <int32>
    weight: <int32>

Field

Value / Type

Description

backendRefs

[]BackendRef

This is a required field.
List of Kubernetes services acting as backends and processing requests.

All services from this list will be placed in the same backend group.

backendRefs.name

string

This is a required field.
Name of the Kubernetes service acting as a backend.

The referred Service resource must be described per the standard configuration.

backendRefs.namespace

string

Namespace the Service resource belongs to.

By default, it matches the TLSRoute resource namespace (the metadata.namespace field).

backendRefs.port

int32

Service port number.

The port number must match one of the Service resource spec.ports.port values.

backendRefs.weight

int32

Backend weight. Backends in a group receive traffic in proportion to their weights.

You should either specify weights for all backends in a group, or not specify them at all. If weights are not specified, traffic will be equally distributed across backends.

A backend with zero or negative weight will not be receiving traffic.
Previous
RoutePolicy
Next
Gateway API service