IngressPolicy
Written by
Updated at October 30, 2025
- Cheatsheet
- IngressPolicySpec
- Ingress
- IngressGroup
- IngressBalancer
- IngressRule
- VirtualHost
- RateLimit
- RateLimitLimit
- BackendGroup
- Backend
- HTTPBackend
- GRPCBackend
- StreamBackend
- LoadBalancingConfig
- HealthCheck
- HealthcheckHTTP
- HealthcheckGRPC
- HealthcheckStream
- HealthCheckTransportSettings
- BackendTLS
- BackendTLSTrustedCA
- SessionAffinity
- SessionAffinityConnection
- SessionAffinityCookie
- SessionAffinityHeader
- ALBRoute
- RouteALBHTTP
- HeaderModifier
- RedirectAction
- RedirectActionPath
- DirectResponseAction
- DirectResponseActionBody
- IngressPolicyStatus
IngressPolicy is a Gwin custom resource for configuring ingress-level policies in Yandex Application Load Balancer. It allows you to define ingress group settings, load balancer configuration, backend settings, and virtual host options that apply to Ingress resources.
- Cheatsheet
- IngressPolicySpec
- LocalObjectReference
- LabelSelector
- LabelSelectorRequirement
- Ingress
- IngressGroup
- IngressBalancer
- IngressRule
- VirtualHost
- RateLimit
- RateLimitLimit
- BackendGroup
- Backend
- HTTPBackend
- GRPCBackend
- StreamBackend
- LoadBalancingConfig
- HealthCheck
- HealthcheckHTTP
- HealthcheckGRPC
- HealthcheckStream
- HealthCheckTransportSettings
- BackendTLS
- BackendTLSTrustedCA
- SessionAffinity
- SessionAffinityConnection
- SessionAffinityCookie
- SessionAffinityHeader
- ALBRoute
- RouteALBHTTP
- HeaderModifier
- RedirectAction
- RedirectActionPath
- DirectResponseAction
- DirectResponseActionBody
- IngressPolicyStatus
Cheatsheet
Note
Specification provided below is not valid configuration.
It's just demonstration of all IngressPolicy fields.
apiVersion: gwin.yandex.cloud/v1
kind: IngressPolicy
metadata:
name: example-ingress-policy
namespace: example-ns
spec:
# Target Ingress resources
targetRefs:
- group: networking.k8s.io
kind: Ingress
name: example-ingress
# Or use label selector
selector:
matchLabels:
app: my-ingress
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
# Ingress policy configuration
policy:
# Ingress group configuration
groupName: "my-ingress-group" # group multiple ingresses
groupOrder: 100 # processing order within group
# Load balancer configuration
externalIPv4Address: "5.4.3.2" # external IPv4 address
externalIPv6Address: "2001:db8::1" # external IPv6 address
subnets: ["subnet-id-1", "subnet-id-2"] # where to place balancer
securityGroups: ["sg-id-1", "sg-id-2"] # network access control
allowZonalShift: true # enable failover between zones
# Cloud Logging
logs:
logGroupID: "log-group-id-1" # where to send logs
disable: false # enable logging
discardRule:
rule1: # custom rule name
httpCodes: [404, 500] # skip these status codes
httpCodeIntervals: ["HTTP_4XX", "HTTP_5XX"] # skip error ranges
grpcCodes: ["INTERNAL", "UNIMPLEMENTED"] # skip gRPC errors
discardPercent: 10 # drop 10% of logs
# Autoscaling
autoScale:
minZoneSize: 2 # min instances per zone
maxSize: 10 # max total instances
# Zone traffic control
zone:
ru-central1-a:
receiveTraffic: false # disable this zone
ru-central1-b:
receiveTraffic: true # enable this zone
# Listener configuration
listeners:
http:
protocolSettings:
allowHTTP10: true # support old HTTP
http2Options:
maxConcurrentStreams: 100 # limit connections
stream:
idleTimeout: "300s" # close idle connections
# HTTP router configuration
rbac:
action: "ALLOW" # access control policy
principals:
admin: # principal group
check-token: # principal name
header:
name: "X-Api-Token"
exact: "admin123"
# Backend and route configuration
rules:
# Backend group configuration
backends:
http:
useHTTP2: true # enable HTTP/2 to backends
balancing:
mode: "ROUND_ROBIN" # load balancing algorithm
localityAwareRouting: 80 # prefer same zone
strictLocality: false # allow cross-zone routing
panicThreshold: 50 # panic mode threshold
# Health checks
hc:
timeout: "5s" # health check timeout
interval: "10s" # check interval
healthyThreshold: 2 # checks to mark healthy
unhealthyThreshold: 3 # checks to mark unhealthy
port: 8080 # health check port
http:
path: "/health" # HTTP health check path
host: "health.example.com" # Host header
useHTTP2: false # use HTTP/1.1 for checks
expectedStatuses: [200, 202] # healthy status codes
# Health check transport settings
transportSettings:
plaintext: true # use plaintext for health checks
tls:
sni: "health.example.com" # SNI for health check TLS
trustedCA:
id: "health-cert-123" # health check TLS cert ID
# Backend TLS configuration
tls:
sni: "backend.example.com" # SNI for TLS
trustedCA:
id: "cert-123456" # cloud certificate ID
# Session affinity
sessionAffinity:
connection:
sourceIP: true # IP-based affinity
cookie:
name: "session" # cookie name
ttl: "3600s" # cookie lifetime
header:
name: "X-Session-ID" # header-based affinity
# Route timeouts
timeout: "60s" # overall connection timeout
idleTimeout: "300s" # idle connection timeout
# HTTP specific settings
http:
upgradeTypes: ["websocket"] # supported upgrade protocols
# HTTP method restrictions
allowedMethods: ["GET", "POST", "PUT"] # restrict allowed HTTP methods
# URL path rewriting
prefixRewrite: "/new-prefix" # rewrite URL path prefix
# Header modifications
modifyRequestHeaders:
append:
X-Custom-Header: "custom-value" # add request header
rename:
Old-Header: "New-Header" # rename request header
replace:
Authorization: "Bearer token" # replace request header
remove: ["X-Remove-Me", "X-Also-Remove"] # remove request headers
modifyResponseHeaders:
append:
X-Response-Header: "response-value" # add response header
rename:
Old-Response: "New-Response" # rename response header
replace:
Cache-Control: "no-cache" # replace response header
remove: ["Server", "X-Powered-By"] # remove response headers
# Security
securityProfileID: "security-profile-1" # WAF profile for routes
rbac:
action: "ALLOW" # default RBAC action
principals:
admin:
check-token:
header:
name: "authorization"
exact: "Bearer admin123"
# Virtual host configuration
hosts:
securityProfileID: "host-security-profile-1" # WAF profile for hosts
rateLimit:
allRequests:
perSecond: 100 # global rate limit
perMinute: 6000 # global rate limit
requestsPerIP:
perSecond: 10 # per-IP rate limit
perMinute: 600 # per-IP rate limit
rbac:
action: "DENY" # host-level RBAC action
principals:
blocked:
bad-ip:
ip:
remoteIp: "192.168.1.0/24"
# Redirect actions (referenced by Ingress backend resources)
redirect:
https-redirect: # redirect action name
replaceScheme: "https" # change URL scheme
replaceHost: "secure.example.com" # change hostname
replacePort: 443 # change port
path:
replacePath: "/new-path" # replace entire path
removeQuery: true # remove query parameters
responseCode: 301 # redirect status code
# Direct response actions (referenced by Ingress backend resources)
directResponse:
maintenance-response: # direct response action name
responseCode: 503 # HTTP status code
responseBody:
text: "Service temporarily unavailable" # response body text
status:
conditions:
- type: "Ready"
status: "True"
reason: "PolicyApplied"
attachedIngresses: 3
| Field | Description |
|---|---|
| metadata | ObjectMeta Standard Kubernetes metadata. |
| spec | IngressPolicySpec Ingress policy specification. |
| status | IngressPolicyStatus Ingress policy status. |
IngressPolicySpec
IngressPolicySpec defines the desired state of IngressPolicy.
Appears in: IngressPolicy
| Field | Description |
|---|---|
| targetRefs | []LocalObjectReference References to Ingress resources that this policy should apply to. |
| selector | LabelSelector Label selector for Ingress resources that this policy should apply to. |
| policy | Ingress Ingress policy configuration. |
Ingress
Ingress policy configuration that applies to ingress group, load balancer, and routing settings.
Appears in: IngressPolicySpec
| Field | Description |
|---|---|
| groupName | string Name of the ingress group to group multiple ingresses together. Example: my-ingress-group |
| groupOrder | int Processing order within the ingress group. Example: 100 |
| externalIPv4Address | string External IPv4 address for the load balancer. Example: 5.4.3.2 |
| externalIPv6Address | string External IPv6 address for the load balancer. Example: 2001:db8::1 |
| subnets | []string Subnets of the zones where load balancer will be instantiated. Example: ["subnet-id-1", "subnet-id-2"] |
| securityGroups | []string Security groups of load balancer. Example: ["sg-id-1", "sg-id-2"] |
| logs | LogOptions Cloud logging settings of the application load balancer. |
| autoScale | AutoScalePolicy Scaling settings of the application load balancer. |
| zone | map[string]BalancerZone Zone-specific traffic control settings. |
| allowZonalShift | bool Specifies whether application load balancer is available to zonal shift. Example: true |
| listeners | GatewayListener Listener configuration settings. |
| rules | IngressRule Backend and route configuration |
| hosts | VirtualHost Virtual host configuration |
| redirect | map[string]RedirectAction Redirect actions that can be referenced by Ingress path backends. |
| directResponse | map[string]DirectResponseAction Direct response actions that return responses without forwarding to backends. |
IngressGroup
Ingress group configuration for grouping multiple ingresses.
Appears in: Ingress
| Field | Description |
|---|---|
| groupName | string Name of the ingress group to group multiple ingresses together. Example: my-ingress-group |
| externalIPv4Address | string External IPv4 address for the load balancer. Example: 5.4.3.2 |
| externalIPv6Address | string External IPv6 address for the load balancer. Example: 2001:db8::1 |
| subnets | []string Subnets of the zones where load balancer will be instantiated. Example: ["subnet-id-1", "subnet-id-2"] |
| securityGroups | []string Security groups of load balancer. Example: ["sg-id-1", "sg-id-2"] |
| logs | LogOptions Cloud logging settings of the application load balancer. |
| autoScale | AutoScalePolicy Scaling settings of the application load balancer. |
| zone | map[string]BalancerZone Zone-specific traffic control settings. |
| allowZonalShift | bool Specifies whether application load balancer is available to zonal shift. Example: true |
| listeners | GatewayListener Listener configuration settings. |
IngressBalancer
Load balancer configuration specific to ingress resources.
Appears in: IngressGroup
| Field | Description |
|---|---|
| externalIPv4Address | string External IPv4 address for the load balancer. Example: 5.4.3.2 |
| externalIPv6Address | string External IPv6 address for the load balancer. Example: 2001:db8::1 |
| subnets | []string Subnets of the zones where load balancer will be instantiated. Example: ["subnet-id-1", "subnet-id-2"] |
| securityGroups | []string Security groups of load balancer. Example: ["sg-id-1", "sg-id-2"] |
| logs | LogOptions Cloud logging settings of the application load balancer. |
| autoScale | AutoScalePolicy Scaling settings of the application load balancer. |
| zone | map[string]BalancerZone Zone-specific traffic control settings. |
| allowZonalShift | bool Specifies whether application load balancer is available to zonal shift. Example: true |
IngressRule
Ingress rule configuration that combines backend group and route settings.
Appears in: Ingress
| Field | Description |
|---|---|
| backends | Backend Backend configuration settings. |
| sessionAffinity | SessionAffinity Session affinity configuration for the backend group. |
| timeout | string Overall timeout for HTTP connection between load balancer and backend. Example: 60s |
| idleTimeout | string Idle timeout for HTTP connection. Example: 300s |
| http | RouteALBHTTP HTTP specific route options. |
| allowedMethods | []string Restricts which HTTP methods are allowed for this route. If not specified, all methods are allowed. Example: ["GET", "POST", "PUT"] |
| prefixRewrite | string Replaces URL paths in HTTP/gRPC requests. With pathType Exact, the entire path is replaced; with pathType Prefix, only the matching prefix is rewritten. Example: /new-prefix |
| modifyRequestHeaders | HeaderModifier Specifies how to modify HTTP request headers before forwarding to backends. |
| modifyResponseHeaders | HeaderModifier Specifies how to modify HTTP response headers before returning to clients. |
| securityProfileID | string Security profile ID for route-level protection. Example: security-profile-1 |
| rbac | RBAC RBAC access control configuration. |
VirtualHost
Virtual host configuration for rate limiting and access control.
Appears in: Ingress
| Field | Description |
|---|---|
| securityProfileID | string Security profile ID for host-level protection. Example: host-security-profile-1 |
| rbac | RBAC RBAC access control configuration. |
| rateLimit | RateLimit Rate limit configuration applied for a whole virtual host. |
RateLimit
Rate limit configuration applied to virtual hosts.
Appears in: VirtualHost
| Field | Description |
|---|---|
| allRequests | RateLimitLimit Rate limit configuration applied to all incoming requests. |
| requestsPerIP | RateLimitLimit Rate limit configuration applied separately for each set of requests grouped by client IP address. |
RateLimitLimit
Rate limit configuration with time-based limits.
Appears in: RateLimit
| Field | Description |
|---|---|
| perMinute | int Limit value specified with per minute time unit. Example: 6000 |
| perSecond | int Limit value specified with per second time unit. Example: 100 |
BackendGroup
Backend group configuration for load balancing and health checks.
Appears in: IngressRule
| Field | Description |
|---|---|
| backends | Backend Backend configuration settings. |
| sessionAffinity | SessionAffinity Session affinity configuration for the backend group. |
Backend
Backend configuration for protocol-specific settings, load balancing, health checks, and TLS.
Appears in: BackendGroup
| Field | Description |
|---|---|
| http | HTTPBackend HTTP specific backend settings. |
| grpc | GRPCBackend gRPC specific backend settings. |
| stream | StreamBackend TCP stream specific backend settings. |
| balancing | LoadBalancingConfig Load balancing configuration for the backend. |
| hc | HealthCheck Health check configuration. |
| tls | BackendTLS TLS settings for backend connections. |
HTTPBackend
HTTP specific backend settings.
Appears in: Backend
| Field | Description |
|---|---|
| useHTTP2 | bool Enables HTTP/2 usage in connections between load balancer nodes and backend targets. Default: false. Example: true |
GRPCBackend
gRPC specific backend settings.
Appears in: Backend
Reserved for future gRPC-specific settings.
StreamBackend
TCP stream specific backend settings.
Appears in: Backend
| Field | Description |
|---|---|
| enableProxy | bool If set, proxy protocol will be enabled for this backend. Example: true |
| keepConnectionsOnHostHealthFailure | bool If a backend host becomes unhealthy, keep connections to the failed host. Example: false |
LoadBalancingConfig
Load balancing configuration for backends.
Appears in: Backend
| Field | Description |
|---|---|
| panicThreshold | int Threshold for panic mode (percentage). If healthy backends drop below this threshold, traffic routes to all backends. Set to 0 to disable panic mode. Example: 50 |
| localityAwareRouting | int Percentage of traffic sent to backends in the same availability zone. Remaining traffic is divided equally between other zones. Example: 90 |
| strictLocality | bool Send traffic only to backends in the same availability zone. If true, localityAwareRouting is ignored. Example: false |
| mode | string Load balancing mode. Options: ROUND_ROBIN, LEAST_REQUEST, RANDOM, RING_HASH, MAGLEV_HASH. Example: ROUND_ROBIN |
HealthCheck
Health check configuration for monitoring backend health.
Appears in: Backend
| Field | Description |
|---|---|
| timeout | string Health check timeout - time allowed for the target to respond. Example: 5s |
| interval | string Base interval between consecutive health checks. Example: 10s |
| healthyThreshold | int Number of consecutive successful checks to mark target as healthy. Default: 0 (1 check required). Example: 2 |
| unhealthyThreshold | int Number of consecutive failed checks to mark target as unhealthy. Default: 0 (1 check required). Example: 3 |
| port | int Port used for health checks. If not specified, backend port is used. Example: 8080 |
| http | HealthcheckHTTP HTTP-specific health check settings. |
| grpc | HealthcheckGRPC gRPC-specific health check settings. |
| stream | HealthcheckStream TCP stream-specific health check settings. |
| transportSettings | HealthCheckTransportSettings Optional transport protocol for health checks. |
HealthcheckHTTP
HTTP-specific health check settings.
Appears in: HealthCheck
| Field | Description |
|---|---|
| host | string Value for the HTTP/1.1 Host header or HTTP/2 :authority pseudo-header. Example: health.example.com |
| path | string HTTP path used in requests to targets. Example: /health |
| useHTTP2 | bool Enables HTTP/2 usage in health checks. Default: false. Example: true |
| expectedStatuses | []int List of HTTP response statuses considered healthy. Default: [200]. Example: [200, 202, 204] |
HealthcheckGRPC
gRPC-specific health check settings.
Appears in: HealthCheck
| Field | Description |
|---|---|
| serviceName | string Name of the gRPC service to be checked. If not specified, overall health is checked. Example: health.v1.HealthService |
HealthcheckStream
TCP stream-specific health check settings.
Appears in: HealthCheck
| Field | Description |
|---|---|
| send | string Message sent to targets during TCP data transfer. If not specified, no data is sent. Example: PING |
| receive | string Data that must be contained in received messages for successful health check. If not specified, no messages are expected. Example: PONG |
HealthCheckTransportSettings
Transport protocol settings for health checks.
Appears in: HealthCheck
| Field | Description |
|---|---|
| plaintext | bool Use plaintext protocol for health checks. Set to true to force HTTP health checks even for HTTPS backends. Example: true |
| tls | BackendTLS TLS settings for health checks. Use when health checks require different TLS configuration than backend. |
BackendTLS
TLS settings for backend connections.
Appears in: Backend, HealthCheckTransportSettings
| Field | Description |
|---|---|
| sni | string Server Name Indication (SNI) string for TLS connections. Example: backend.example.com |
| trustedCA | BackendTLSTrustedCA Validation context for TLS connections. |
BackendTLSTrustedCA
Trusted CA configuration for TLS validation.
Appears in: BackendTLS
| Field | Description |
|---|---|
| id | string Cloud certificate ID. Example: fpq6gvvm6piu******** |
| bytes | string X.509 certificate contents in PEM format. Example: -----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE----- |
SessionAffinity
Session affinity configuration for routing requests from the same client to the same backend.
Appears in: BackendGroup
| Field | Description |
|---|---|
| connection | SessionAffinityConnection Connection-based session affinity (by client IP). |
| cookie | SessionAffinityCookie Cookie-based session affinity. |
| header | SessionAffinityHeader HTTP header-based session affinity. |
SessionAffinityConnection
Connection-based session affinity configuration.
Appears in: SessionAffinity
| Field | Description |
|---|---|
| sourceIP | bool Use client IP address for session affinity. Example: true |
SessionAffinityCookie
Cookie-based session affinity configuration.
Appears in: SessionAffinity
| Field | Description |
|---|---|
| name | string Name of the cookie used for session affinity. Example: session-cookie |
| ttl | string Maximum age of generated session cookies. Set to 0 for session cookies (deleted on client restart). If not set, balancer only uses incoming cookies. Example: 3600s |
SessionAffinityHeader
HTTP header-based session affinity configuration.
Appears in: SessionAffinity
| Field | Description |
|---|---|
| name | string Name of the HTTP header field used for session affinity. Example: X-Session-ID |
ALBRoute
Application Load Balancer route configuration.
Appears in: IngressRule
| Field | Description |
|---|---|
| timeout | string Overall timeout for HTTP connection between load balancer and backend. Default: 60s. Example: 60s |
| idleTimeout | string Idle timeout for HTTP connection. Example: 300s |
| http | RouteALBHTTP HTTP specific route options. |
| securityProfileID | string Security profile ID for route-level protection. Example: security-profile-1 |
| rbac | RBAC RBAC access control configuration. |
RouteALBHTTP
HTTP-specific route configuration.
Appears in: ALBRoute
| Field | Description |
|---|---|
| upgradeTypes | []string Supported values for HTTP Upgrade header. Example: ["websocket"] |
HeaderModifier
HeaderModifier defines various operations that can be performed on HTTP headers. Operations are applied in the following order: append, rename, replace, remove.
Appears in: IngressRule
| Field | Description |
|---|---|
| append | map[string]string Adds new headers. Key is the header name, value is the header value to append. |
| rename | map[string]string Changes the name of existing headers. Key is the original header name, value is the new header name. |
| replace | map[string]string Overwrites the value of existing headers or creates new ones. Key is the header name, value is the new header value. |
| remove | []string Specifies which headers should be removed. |
RedirectAction
RedirectAction defines an HTTP redirect response that sends clients to a different URL. This action terminates the request processing and returns a redirect response.
Appears in: Ingress
| Field | Description |
|---|---|
| replaceScheme | string Changes the URL scheme (http/https) in the redirect location. Example: https |
| replaceHost | string Changes the hostname in the redirect location. Example: secure.example.com |
| replacePort | int Changes the port number in the redirect location. Example: 443 |
| path | RedirectActionPath Specifies how to modify the path component of the redirect URL. |
| removeQuery | bool Determines whether to remove query parameters from the redirect URL. Example: true |
| responseCode | int HTTP status code for the redirect response. (e.g., 301, 302, 303, 307, 308) Example: 301 |
RedirectActionPath
RedirectActionPath defines how to modify the path component in redirect URLs. Only one of ReplacePrefix or ReplacePath should be specified.
Appears in: RedirectAction
| Field | Description |
|---|---|
| replacePrefix | string Replaces the matching path prefix with the specified value. Example: /new-prefix |
| replacePath | string Replaces the entire path with the specified value. Example: /new-path |
DirectResponseAction
DirectResponseAction defines a direct HTTP response that is returned to the client without forwarding the request to any backend service.
Appears in: Ingress
| Field | Description |
|---|---|
| responseCode | int HTTP status code to return. Example: 503 |
| responseBody | DirectResponseActionBody Response body content |
DirectResponseActionBody
DirectResponseActionBody defines the content of a direct response body.
Appears in: DirectResponseAction
| Field | Description |
|---|---|
| text | string Plain text content to include in the response body. Example: Service temporarily unavailable |
IngressPolicyStatus
IngressPolicyStatus defines the observed state of IngressPolicy.
Appears in: IngressPolicy
| Field | Description |
|---|---|
| conditions | []Condition Current state conditions of the ingress policy. |
| attachedIngresses | int32 Number of currently attached ingresses. |