IngressPolicy
Written by
Updated at December 29, 2025
- Cheatsheet
- IngressPolicySpec
- Ingress
- IngressRule
- VirtualHost
- RateLimit
- RateLimitLimit
- BackendGroup
- Backend
- HTTPBackend
- GRPCBackend
- StreamBackend
- LoadBalancingConfig
- HealthCheck
- HealthcheckHTTP
- HealthcheckGRPC
- HealthcheckStream
- HealthCheckTransportSettings
- BackendTLS
- BackendTLSTrustedCA
- SessionAffinity
- SessionAffinityConnection
- SessionAffinityCookie
- SessionAffinityHeader
- ALBRoute
- RouteALBHTTP
- HeaderModifier
- RedirectAction
- RedirectActionPath
- DirectResponseAction
- DirectResponseActionBody
- IngressPolicyStatus
IngressPolicy is a Gwin custom resource for configuring ingress-level policies in Yandex Application Load Balancer. It allows you to define ingress group settings, load balancer configuration, backend settings, and virtual host options that apply to Ingress resources.
- Cheatsheet
- IngressPolicySpec
- LocalObjectReference
- LabelSelector
- LabelSelectorRequirement
- Ingress
- IngressGroup
- IngressBalancer
- IngressRule
- VirtualHost
- RateLimit
- RateLimitLimit
- BackendGroup
- Backend
- HTTPBackend
- GRPCBackend
- StreamBackend
- LoadBalancingConfig
- HealthCheck
- HealthcheckHTTP
- HealthcheckGRPC
- HealthcheckStream
- HealthCheckTransportSettings
- BackendTLS
- BackendTLSTrustedCA
- SessionAffinity
- SessionAffinityConnection
- SessionAffinityCookie
- SessionAffinityHeader
- ALBRoute
- RouteALBHTTP
- HeaderModifier
- RedirectAction
- RedirectActionPath
- DirectResponseAction
- DirectResponseActionBody
- IngressPolicyStatus
Cheatsheet
Note
Specification provided below is not valid configuration.
It's just demonstration of all IngressPolicy fields.
apiVersion: gwin.yandex.cloud/v1
kind: IngressPolicy
metadata:
name: example-ingress-policy
namespace: example-ns
spec:
# Target Ingress resources
targetRefs:
- group: networking.k8s.io
kind: Ingress
name: example-ingress
# Or use label selector
selector:
matchLabels:
app: my-ingress
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
# Ingress policy configuration
policy:
# Ingress group configuration
groupName: "my-ingress-group" # group multiple ingresses
groupOrder: 100 # processing order within group
# Load balancer configuration
externalIPv4Address: "auto" # external IPv4 address (use "auto" to allocate automatically)
internalIPv4Address: "subnet-id-1/10.1.1.1" # internal IPv4 address inside VPC subnet
externalIPv6Address: "2001:db8::1" # external IPv6 address
subnets: ["subnet-id-1", "subnet-id-2"] # where to place balancer
securityGroups: ["sg-id-1", "sg-id-2"] # network access control
allowZonalShift: true # enable failover between zones
# Cloud Logging
logs:
logGroupID: "log-group-id-1" # where to send logs
disable: false # enable logging
discardRule:
rule1: # custom rule name
httpCodes: [404, 500] # skip these status codes
httpCodeIntervals: ["HTTP_4XX", "HTTP_5XX"] # skip error ranges
grpcCodes: ["INTERNAL", "UNIMPLEMENTED"] # skip gRPC errors
discardPercent: 10 # drop 10% of logs
# Autoscaling
autoScale:
minZoneSize: 2 # min instances per zone
maxSize: 10 # max total instances
# Zone traffic control
zone:
ru-central1-a:
receiveTraffic: false # disable this zone
ru-central1-b:
receiveTraffic: true # enable this zone
# Listener configuration
listeners:
http:
protocolSettings:
allowHTTP10: true # support old HTTP
http2Options:
maxConcurrentStreams: 100 # limit connections
stream:
idleTimeout: "300s" # close idle connections
# HTTP router configuration
rbac:
action: "ALLOW" # access control policy
principals:
admin: # principal group
check-token: # principal name
header:
name: "X-Api-Token"
exact: "admin123"
# Backend and route configuration
rules:
# Backend group configuration
backends:
http:
useHTTP2: true # enable HTTP/2 to backends
balancing:
mode: "ROUND_ROBIN" # load balancing algorithm
localityAwareRouting: 80 # prefer same zone
strictLocality: false # allow cross-zone routing
panicThreshold: 50 # panic mode threshold
# Health checks
hc:
timeout: "5s" # health check timeout
interval: "10s" # check interval
healthyThreshold: 2 # checks to mark healthy
unhealthyThreshold: 3 # checks to mark unhealthy
port: 8080 # health check port
http:
path: "/health" # HTTP health check path
host: "health.example.com" # Host header
useHTTP2: false # use HTTP/1.1 for checks
expectedStatuses: [200, 202] # healthy status codes
# Health check transport settings
transportSettings:
plaintext: true # use plaintext for health checks
tls:
sni: "health.example.com" # SNI for health check TLS
trustedCA:
id: "health-cert-123" # health check TLS cert ID
# Backend TLS configuration
tls:
sni: "backend.example.com" # SNI for TLS
trustedCA:
id: "cert-123456" # cloud certificate ID
# Session affinity
sessionAffinity:
connection:
sourceIP: true # IP-based affinity
cookie:
name: "session" # cookie name
ttl: "3600s" # cookie lifetime
header:
name: "X-Session-ID" # header-based affinity
# Route timeouts
timeout: "60s" # overall connection timeout
idleTimeout: "300s" # idle connection timeout
# HTTP specific settings
http:
upgradeTypes: ["websocket"] # supported upgrade protocols
# HTTP method restrictions
allowedMethods: ["GET", "POST", "PUT"] # restrict allowed HTTP methods
# URL path rewriting
prefixRewrite: "/new-prefix" # rewrite URL path prefix
# Header modifications
modifyRequestHeaders:
append:
X-Custom-Header: "custom-value" # add request header
rename:
Old-Header: "New-Header" # rename request header
replace:
Authorization: "Bearer token" # replace request header
remove: ["X-Remove-Me", "X-Also-Remove"] # remove request headers
modifyResponseHeaders:
append:
X-Response-Header: "response-value" # add response header
rename:
Old-Response: "New-Response" # rename response header
replace:
Cache-Control: "no-cache" # replace response header
remove: ["Server", "X-Powered-By"] # remove response headers
# Security
securityProfileID: "security-profile-1" # WAF profile for routes
rbac:
action: "ALLOW" # default RBAC action
principals:
admin:
check-token:
header:
name: "authorization"
exact: "Bearer admin123"
# Virtual host configuration
hosts:
securityProfileID: "host-security-profile-1" # WAF profile for hosts
rateLimit:
allRequests:
perSecond: 100 # global rate limit
perMinute: 6000 # global rate limit
requestsPerIP:
perSecond: 10 # per-IP rate limit
perMinute: 600 # per-IP rate limit
rbac:
action: "DENY" # host-level RBAC action
principals:
blocked:
bad-ip:
ip:
remoteIp: "192.168.1.0/24"
# Redirect actions (referenced by Ingress backend resources)
redirect:
https-redirect: # redirect action name
replaceScheme: "https" # change URL scheme
replaceHost: "secure.example.com" # change hostname
replacePort: 443 # change port
path:
replacePath: "/new-path" # replace entire path
removeQuery: true # remove query parameters
responseCode: 301 # redirect status code
# Direct response actions (referenced by Ingress backend resources)
directResponse:
maintenance-response: # direct response action name
responseCode: 503 # HTTP status code
responseBody:
text: "Service temporarily unavailable" # response body text
status:
conditions:
- type: "Ready"
status: "True"
reason: "PolicyApplied"
attachedIngresses: 3
| Field | Description |
|---|---|
| metadata | ObjectMeta Standard Kubernetes metadata. |
| spec | IngressPolicySpec Ingress policy specification. |
| status | IngressPolicyStatus Ingress policy status. |
IngressPolicySpec
IngressPolicySpec defines the desired state of IngressPolicy.
Appears in: IngressPolicy
| Field | Description |
|---|---|
| targetRefs | []LocalObjectReference References to Ingress resources that this policy should apply to. |
| selector | LabelSelector Label selector for Ingress resources that this policy should apply to. |
| policy | Ingress Ingress policy configuration. |
Ingress
Ingress policy configuration that applies to ingress group, load balancer, and routing settings.
Appears in: IngressPolicySpec
| Field | Description |
|---|---|
| groupName | string Name of the ingress group to group multiple ingresses together. Example: my-ingress-group |
| groupOrder | int Processing order within the ingress group. Example: 100 |
| externalIPv4Address | string External IPv4 address for the load balancer. Use auto to automatically allocate a new address. Example: 5.4.3.2, auto |
| internalIPv4Address | string Internal IPv4 address for the load balancer inside VPC subnet. Format: subnet-id/ip-address or subnet-id/auto to automatically allocate an address. Example: subnet-id-1/10.1.1.1, subnet-id-1/auto |
| externalIPv6Address | string External IPv6 address for the load balancer. Example: 2001:db8::1 |
| subnets | []string Subnets of the zones where load balancer will be instantiated. Example: ["subnet-id-1", "subnet-id-2"] |
| securityGroups | []string Security groups of load balancer. Example: ["sg-id-1", "sg-id-2"] |
| logs | LogOptions Cloud logging settings of the application load balancer. |
| autoScale | AutoScalePolicy Scaling settings of the application load balancer. |
| zone | map[string]BalancerZone Zone-specific traffic control settings. |
| allowZonalShift | bool Specifies whether application load balancer is available to zonal shift. Example: true |
| listeners | GatewayListener Listener configuration settings. |
| rules | IngressRule Backend and route configuration |
| hosts | VirtualHost Virtual host configuration |
| redirect | map[string]RedirectAction Redirect actions that can be referenced by Ingress path backends. |
| directResponse | map[string]DirectResponseAction Direct response actions that return responses without forwarding to backends. |
IngressRule
Ingress rule configuration that combines backend group and route settings.
Appears in: Ingress
| Field | Description |
|---|---|
| backends | Backend Backend configuration settings. |
| sessionAffinity | SessionAffinity Session affinity configuration for the backend group. |
| timeout | string Overall timeout for HTTP connection between load balancer and backend. Example: 60s |
| idleTimeout | string Idle timeout for HTTP connection. Example: 300s |
| http | RouteALBHTTP HTTP specific route options. |
| allowedMethods | []string Restricts which HTTP methods are allowed for this route. If not specified, all methods are allowed. Example: ["GET", "POST", "PUT"] |
| prefixRewrite | string Replaces URL paths in HTTP/gRPC requests. With pathType Exact, the entire path is replaced; with pathType Prefix, only the matching prefix is rewritten. Example: /new-prefix |
| modifyRequestHeaders | HeaderModifier Specifies how to modify HTTP request headers before forwarding to backends. |
| modifyResponseHeaders | HeaderModifier Specifies how to modify HTTP response headers before returning to clients. |
| securityProfileID | string Security profile ID for route-level protection. Example: security-profile-1 |
| rbac | RBAC RBAC access control configuration. |
VirtualHost
Virtual host configuration for rate limiting and access control.
Appears in: Ingress
| Field | Description |
|---|---|
| securityProfileID | string Security profile ID for host-level protection. Example: host-security-profile-1 |
| rbac | RBAC RBAC access control configuration. |
| rateLimit | RateLimit Rate limit configuration applied for a whole virtual host. |
RateLimit
Rate limit configuration applied to virtual hosts.
Appears in: VirtualHost
| Field | Description |
|---|---|
| allRequests | RateLimitLimit Rate limit configuration applied to all incoming requests. |
| requestsPerIP | RateLimitLimit Rate limit configuration applied separately for each set of requests grouped by client IP address. |
RateLimitLimit
Rate limit configuration with time-based limits.
Appears in: RateLimit
| Field | Description |
|---|---|
| perMinute | int Limit value specified with per minute time unit. Example: 6000 |
| perSecond | int Limit value specified with per second time unit. Example: 100 |
BackendGroup
Backend group configuration for load balancing and health checks.
Appears in: IngressRule
| Field | Description |
|---|---|
| backends | Backend Backend configuration settings. |
| sessionAffinity | SessionAffinity Session affinity configuration for the backend group. |
Backend
Backend configuration for protocol-specific settings, load balancing, health checks, and TLS.
Appears in: BackendGroup
| Field | Description |
|---|---|
| http | HTTPBackend HTTP specific backend settings. |
| grpc | GRPCBackend gRPC specific backend settings. |
| stream | StreamBackend TCP stream specific backend settings. |
| balancing | LoadBalancingConfig Load balancing configuration for the backend. |
| hc | HealthCheck Health check configuration. |
| tls | BackendTLS TLS settings for backend connections. |
HTTPBackend
HTTP specific backend settings.
Appears in: Backend
| Field | Description |
|---|---|
| useHTTP2 | bool Enables HTTP/2 usage in connections between load balancer nodes and backend targets. Default: false. Example: true |
GRPCBackend
gRPC specific backend settings.
Appears in: Backend
Reserved for future gRPC-specific settings.
StreamBackend
TCP stream specific backend settings.
Appears in: Backend
| Field | Description |
|---|---|
| enableProxy | bool If set, proxy protocol will be enabled for this backend. Example: true |
| keepConnectionsOnHostHealthFailure | bool If a backend host becomes unhealthy, keep connections to the failed host. Example: false |
LoadBalancingConfig
Load balancing configuration for backends.
Appears in: Backend
| Field | Description |
|---|---|
| panicThreshold | int Threshold for panic mode (percentage). If healthy backends drop below this threshold, traffic routes to all backends. Set to 0 to disable panic mode. Example: 50 |
| localityAwareRouting | int Percentage of traffic sent to backends in the same availability zone. Remaining traffic is divided equally between other zones. Example: 90 |
| strictLocality | bool Send traffic only to backends in the same availability zone. If true, localityAwareRouting is ignored. Example: false |
| mode | string Load balancing mode. Options: ROUND_ROBIN, LEAST_REQUEST, RANDOM, RING_HASH, MAGLEV_HASH. Example: ROUND_ROBIN |
HealthCheck
Health check configuration for monitoring backend health.
Appears in: Backend
| Field | Description |
|---|---|
| timeout | string Health check timeout - time allowed for the target to respond. Example: 5s |
| interval | string Base interval between consecutive health checks. Example: 10s |
| healthyThreshold | int Number of consecutive successful checks to mark target as healthy. Default: 0 (1 check required). Example: 2 |
| unhealthyThreshold | int Number of consecutive failed checks to mark target as unhealthy. Default: 0 (1 check required). Example: 3 |
| port | int Port used for health checks. If not specified, backend port is used. Example: 8080 |
| http | HealthcheckHTTP HTTP-specific health check settings. |
| grpc | HealthcheckGRPC gRPC-specific health check settings. |
| stream | HealthcheckStream TCP stream-specific health check settings. |
| transportSettings | HealthCheckTransportSettings Optional transport protocol for health checks. |
HealthcheckHTTP
HTTP-specific health check settings.
Appears in: HealthCheck
| Field | Description |
|---|---|
| host | string Value for the HTTP/1.1 Host header or HTTP/2 :authority pseudo-header. Example: health.example.com |
| path | string HTTP path used in requests to targets. Example: /health |
| useHTTP2 | bool Enables HTTP/2 usage in health checks. Default: false. Example: true |
| expectedStatuses | []int List of HTTP response statuses considered healthy. Default: [200]. Example: [200, 202, 204] |
HealthcheckGRPC
gRPC-specific health check settings.
Appears in: HealthCheck
| Field | Description |
|---|---|
| serviceName | string Name of the gRPC service to be checked. If not specified, overall health is checked. Example: health.v1.HealthService |
HealthcheckStream
TCP stream-specific health check settings.
Appears in: HealthCheck
| Field | Description |
|---|---|
| send | string Message sent to targets during TCP data transfer. If not specified, no data is sent. Example: PING |
| receive | string Data that must be contained in received messages for successful health check. If not specified, no messages are expected. Example: PONG |
HealthCheckTransportSettings
Transport protocol settings for health checks.
Appears in: HealthCheck
| Field | Description |
|---|---|
| plaintext | bool Use plaintext protocol for health checks. Set to true to force HTTP health checks even for HTTPS backends. Example: true |
| tls | BackendTLS TLS settings for health checks. Use when health checks require different TLS configuration than backend. |
BackendTLS
TLS settings for backend connections.
Use when the load balancer must connect to its targets over TLS.
If you only need “TLS as is” (no SNI and no backend certificate verification), provide an empty tls: {} section.
Health check TLS settings work the same way, but are configured separately.
Appears in: Backend, HealthCheckTransportSettings
| Field | Description |
|---|---|
| sni | string Server Name Indication (SNI) string for TLS connections. Example: backend.example.com |
| trustedCA | BackendTLSTrustedCA Validation context for TLS connections. |
BackendTLSTrustedCA
Trusted CA configuration for TLS validation.
Appears in: BackendTLS
| Field | Description |
|---|---|
| id | string Cloud certificate ID. Example: fpq6gvvm6piu******** |
| bytes | string X.509 certificate contents in PEM format. Example: -----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE----- |
SessionAffinity
Session affinity configuration for routing requests from the same client to the same backend.
Appears in: BackendGroup
| Field | Description |
|---|---|
| connection | SessionAffinityConnection Connection-based session affinity (by client IP). |
| cookie | SessionAffinityCookie Cookie-based session affinity. |
| header | SessionAffinityHeader HTTP header-based session affinity. |
SessionAffinityConnection
Connection-based session affinity configuration.
Appears in: SessionAffinity
| Field | Description |
|---|---|
| sourceIP | bool Use client IP address for session affinity. Example: true |
SessionAffinityCookie
Cookie-based session affinity configuration.
Appears in: SessionAffinity
| Field | Description |
|---|---|
| name | string Name of the cookie used for session affinity. Example: session-cookie |
| ttl | string Maximum age of generated session cookies. Set to 0 for session cookies (deleted on client restart). If not set, balancer only uses incoming cookies. Example: 3600s |
SessionAffinityHeader
HTTP header-based session affinity configuration.
Appears in: SessionAffinity
| Field | Description |
|---|---|
| name | string Name of the HTTP header field used for session affinity. Example: X-Session-ID |
ALBRoute
Application Load Balancer route configuration.
Appears in: IngressRule
| Field | Description |
|---|---|
| timeout | string Overall timeout for HTTP connection between load balancer and backend. Default: 60s. Example: 60s |
| idleTimeout | string Idle timeout for HTTP connection. Example: 300s |
| http | RouteALBHTTP HTTP specific route options. |
| securityProfileID | string Security profile ID for route-level protection. Example: security-profile-1 |
| rbac | RBAC RBAC access control configuration. |
RouteALBHTTP
HTTP-specific route configuration.
Appears in: ALBRoute
| Field | Description |
|---|---|
| upgradeTypes | []string Supported values for HTTP Upgrade header. Example: ["websocket"] |
HeaderModifier
HeaderModifier defines various operations that can be performed on HTTP headers. Operations are applied in the following order: append, rename, replace, remove.
Appears in: IngressRule
| Field | Description |
|---|---|
| append | map[string]string Adds new headers. Key is the header name, value is the header value to append. |
| rename | map[string]string Changes the name of existing headers. Key is the original header name, value is the new header name. |
| replace | map[string]string Overwrites the value of existing headers or creates new ones. Key is the header name, value is the new header value. |
| remove | []string Specifies which headers should be removed. |
RedirectAction
RedirectAction defines an HTTP redirect response that sends clients to a different URL. This action terminates the request processing and returns a redirect response.
Appears in: Ingress
| Field | Description |
|---|---|
| replaceScheme | string Changes the URL scheme (http/https) in the redirect location. Example: https |
| replaceHost | string Changes the hostname in the redirect location. Example: secure.example.com |
| replacePort | int Changes the port number in the redirect location. Example: 443 |
| path | RedirectActionPath Specifies how to modify the path component of the redirect URL. |
| removeQuery | bool Determines whether to remove query parameters from the redirect URL. Example: true |
| responseCode | int HTTP status code for the redirect response. (e.g., 301, 302, 303, 307, 308) Example: 301 |
RedirectActionPath
RedirectActionPath defines how to modify the path component in redirect URLs. Only one of ReplacePrefix or ReplacePath should be specified.
Appears in: RedirectAction
| Field | Description |
|---|---|
| replacePrefix | string Replaces the matching path prefix with the specified value. Example: /new-prefix |
| replacePath | string Replaces the entire path with the specified value. Example: /new-path |
DirectResponseAction
DirectResponseAction defines a direct HTTP response that is returned to the client without forwarding the request to any backend service.
Appears in: Ingress
| Field | Description |
|---|---|
| responseCode | int HTTP status code to return. Example: 503 |
| responseBody | DirectResponseActionBody Response body content |
DirectResponseActionBody
DirectResponseActionBody defines the content of a direct response body.
Appears in: DirectResponseAction
| Field | Description |
|---|---|
| text | string Plain text content to include in the response body. Example: Service temporarily unavailable |
IngressPolicyStatus
IngressPolicyStatus defines the observed state of IngressPolicy.
Appears in: IngressPolicy
| Field | Description |
|---|---|
| conditions | []Condition Current state conditions of the ingress policy. |
| attachedIngresses | int32 Number of currently attached ingresses. |