HTTPRoute
HTTPRoute provides a way to route HTTP requests. This includes the capability to match requests by hostname, path, header, or query param. Filters can be used to modify requests, and requests should be routed to backend services.
HTTPRoute is a Kubernetes Gateway API project resource. Below, we describe its fields and annotations used by Gwin. For details, see the upstream documentation.
HTTPRoute resources must be attached to Gateway resources to function properly.
- Cheatsheet
- HTTPRouteMeta
- HTTPRouteSpec
Примечание
Specification provided below is not valid configuration.
It's just demonstration of all
HTTPRoute fields.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: example-route
namespace: example-ns
annotations: ... # see annotations example below
spec:
parentRefs: # attach to Gateway resources
- group: gateway.networking.k8s.io
kind: Gateway
namespace: gateway-ns
name: example-gateway
sectionName: http-listener # specific listener name, can be omitted
hostnames: # domains this route handles
- "*.example.com" # wildcard domain
- "api.example.com" # specific subdomain
rules:
- name: api-rule # rule identifier
matches: # conditions for this rule
- path:
type: PathPrefix # match path prefix
value: "/api"
method: GET # HTTP method
headers: # header matching
- name: "X-Version"
value: "v1"
filters: # modify requests before routing
- type: RequestHeaderModifier
requestHeaderModifier:
set: # replace header values
- name: "X-Custom-Header"
value: "custom-value"
add: # add new headers
- name: "X-Added-Header"
value: "added-value"
remove: # remove headers
- "X-Remove-Header"
- type: ResponseHeaderModifier # modify response headers
responseHeaderModifier: ... # same as RequestHeaderModifier
- type: RequestRedirect # redirect instead of routing
requestRedirect:
scheme: https # change protocol
hostname: secure.example.com # change host
path:
type: ReplaceFullPath # replace entire path
replaceFullPath: "/v2/api"
port: 443 # change port
statusCode: 301 # HTTP redirect code
backendRefs: # where to route requests
- group: "" # core Kubernetes API
kind: Service # Kubernetes service
name: api-service
namespace: api-ns
port: 8080
weight: 80 # 80% of traffic
- group: gwin.yandex.cloud # Gwin custom resources
kind: YCStorageBucket # Object Storage bucket
name: static-bucket
weight: 20 # 20% of traffic
timeouts: # request timeouts
backendRequest: "25s" # backend request timeout
|Field
|Description
|metadata
|HTTPRouteMeta
Name, namespace and annotations.
|spec
|HTTPRouteSpec
Resource specification.
HTTPRouteMeta
|Field
|Description
|name
|string
Name of the HTTPRoute.
|namespace
|string
Namespace of the HTTPRoute.
|annotations
|map[string]string
Annotations of the HTTPRoute.
Annotations cheatsheet
Примечание
You can also set policy parameters using RoutePolicy resource. The RoutePolicy resource parameters and HTTPRoute annotations are equivalent.
Specification provided below is not valid configuration.
It's just demonstration of all
HTTPRoute annotations.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
annotations:
# Backend group configuration
gwin.yandex.cloud/rules.backends.http.useHTTP2: "true" # enable HTTP/2 to backends
gwin.yandex.cloud/rules.backends.balancing.mode: "ROUND_ROBIN" # load balancing algorithm
gwin.yandex.cloud/rules.backends.balancing.localityAwareRouting: "80" # prefer same zone
gwin.yandex.cloud/rules.backends.balancing.strictLocality: "false" # allow cross-zone routing
gwin.yandex.cloud/rules.backends.balancing.panicThreshold: "50" # panic mode threshold
# Health checks
gwin.yandex.cloud/rules.backends.hc.timeout: "5s" # health check timeout
gwin.yandex.cloud/rules.backends.hc.interval: "10s" # check interval
gwin.yandex.cloud/rules.backends.hc.healthyThreshold: "2" # checks to mark healthy
gwin.yandex.cloud/rules.backends.hc.unhealthyThreshold: "3" # checks to mark unhealthy
gwin.yandex.cloud/rules.backends.hc.port: "8080" # health check port
gwin.yandex.cloud/rules.backends.hc.http.path: "/health" # HTTP health check path
gwin.yandex.cloud/rules.backends.hc.http.useHTTP2: "false" # use HTTP/1.1 for checks
gwin.yandex.cloud/rules.backends.hc.http.host: "health.example.com" # Host header
gwin.yandex.cloud/rules.backends.hc.grpc.serviceName: "health.HealthService" # gRPC service
gwin.yandex.cloud/rules.backends.hc.stream.send: "PING" # TCP check data to send
gwin.yandex.cloud/rules.backends.hc.stream.receive: "PONG" # expected TCP response
# Health check transport settings
gwin.yandex.cloud/rules.backends.hc.transportSettings.plaintext: "true" # use plaintext for health checks
gwin.yandex.cloud/rules.backends.hc.transportSettings.tls.sni: "health.example.com" # SNI for health check TLS
gwin.yandex.cloud/rules.backends.hc.transportSettings.tls.trustedCA.id: "health-cert-123" # health check TLS cert ID
gwin.yandex.cloud/rules.backends.hc.transportSettings.tls.trustedCA.bytes: "-----BEGIN CERTIFICATE-----..." # health check TLS cert PEM
# Backend TLS configuration
gwin.yandex.cloud/rules.backends.tls.sni: "backend.example.com" # SNI for TLS
gwin.yandex.cloud/rules.backends.tls.trustedCA.id: "cert-123456" # cloud certificate ID
gwin.yandex.cloud/rules.backends.tls.trustedCA.bytes: "-----BEGIN CERTIFICATE-----..." # PEM certificate
# Stream backend configuration
gwin.yandex.cloud/rules.backends.stream.enableProxy: "true" # enable proxy protocol
gwin.yandex.cloud/rules.backends.stream.keepConnectionsOnHostHealthFailure: "false" # drop failed connections
# Session affinity
gwin.yandex.cloud/rules.sessionAffinity.header.name: "X-Session-ID" # header-based affinity
gwin.yandex.cloud/rules.sessionAffinity.cookie.name: "session" # cookie name
gwin.yandex.cloud/rules.sessionAffinity.cookie.ttl: "3600s" # cookie lifetime
gwin.yandex.cloud/rules.sessionAffinity.sourceIP: "true" # IP-based affinity
# Route timeouts
gwin.yandex.cloud/rules.timeout: "60s" # overall connection timeout
gwin.yandex.cloud/rules.idleTimeout: "300s" # idle connection timeout
# HTTP specific settings
gwin.yandex.cloud/rules.httpUpgradeTypes: "websocket" # supported upgrade protocols
# Security
gwin.yandex.cloud/rules.securityProfileID: "security-profile-1" # WAF profile for routes
gwin.yandex.cloud/hosts.securityProfileID: "host-security-profile-1" # WAF profile for hosts
# Rate limiting
gwin.yandex.cloud/hosts.rateLimit.allRequests.perSecond: "100" # global rate limit
gwin.yandex.cloud/hosts.rateLimit.allRequests.perMinute: "6000" # global rate limit
gwin.yandex.cloud/hosts.rateLimit.requestsPerIP.perSecond: "10" # per-IP rate limit
gwin.yandex.cloud/hosts.rateLimit.requestsPerIP.perMinute: "600" # per-IP rate limit
# RBAC configuration
gwin.yandex.cloud/rules.rbac.action: "ALLOW" # default RBAC action
gwin.yandex.cloud/rules.rbac.principals.admin.check-token.header.name: "X-Api-Token" # header to check
gwin.yandex.cloud/rules.rbac.principals.admin.check-token.header.exact: "admin123" # required value
gwin.yandex.cloud/rules.rbac.principals.admin.check-ip.ip.remoteIp: "10.0.0.0/8" # allowed IP range
gwin.yandex.cloud/rules.rbac.principals.admin.any.any: "true" # match any request
gwin.yandex.cloud/hosts.rbac.action: "DENY" # host-level RBAC action
# Rule-specific configuration (overrides global settings)
gwin.yandex.cloud/rule.api-rule.backends.balancing.mode: "LEAST_REQUEST" # per-rule balancing
gwin.yandex.cloud/rule.api-rule.timeout: "30s" # per-rule timeout
gwin.yandex.cloud/rule.api-rule.idleTimeout: "120s" # per-rule idle timeout
Annotations reference
Backend group configuration
|Annotation and description
|
gwin.yandex.cloud/rules.backends.http.useHTTP2
(boolean)
Use HTTP/2 for connections between load balancer and backends.
Example:
true
|
gwin.yandex.cloud/rules.backends.balancing.mode
(string)
Load balancing mode for backend group. Possible values:
RANDOM,
ROUND_ROBIN,
LEAST_REQUEST.
Example:
ROUND_ROBIN
|
gwin.yandex.cloud/rules.backends.balancing.localityAwareRouting
(number)
Percentage of traffic sent to backends in the same availability zone.
Example:
80
|
gwin.yandex.cloud/rules.backends.balancing.strictLocality
(boolean)
Route traffic only to backends in the same availability zone.
Example:
false
|
gwin.yandex.cloud/rules.backends.balancing.panicThreshold
(number)
Panic mode threshold percentage for load balancing.
Example:
50
Health check configuration
Common health check settings
|Annotation and description
|
gwin.yandex.cloud/rules.backends.hc.timeout
(duration)
Health check timeout.
Example:
5s
|
gwin.yandex.cloud/rules.backends.hc.interval
(duration)
Interval between health checks.
Example:
10s
|
gwin.yandex.cloud/rules.backends.hc.healthyThreshold
(number)
Number of successful checks to mark backend as healthy.
Example:
2
|
gwin.yandex.cloud/rules.backends.hc.unhealthyThreshold
(number)
Number of failed checks to mark backend as unhealthy.
Example:
3
|
gwin.yandex.cloud/rules.backends.hc.port
(number)
Port for health checks.
Example:
8080
HTTP health checks
|Annotation and description
|
gwin.yandex.cloud/rules.backends.hc.http.path
(string)
HTTP path for health checks.
Example:
/health
|
gwin.yandex.cloud/rules.backends.hc.http.useHTTP2
(boolean)
Use HTTP/2 for health checks.
Example:
false
|
gwin.yandex.cloud/rules.backends.hc.http.host
(string)
Host header for HTTP health checks.
Example:
health.example.com
gRPC health checks
|Annotation and description
|
gwin.yandex.cloud/rules.backends.hc.grpc.serviceName
(string)
gRPC service name for health checks.
Example:
health.HealthService
Stream health checks
|Annotation and description
|
gwin.yandex.cloud/rules.backends.hc.stream.send
(string)
Data to send for TCP health checks.
Example:
PING
|
gwin.yandex.cloud/rules.backends.hc.stream.receive
(string)
Expected response for TCP health checks.
Example:
PONG
Health check transport settings
|Annotation and description
|
gwin.yandex.cloud/rules.backends.hc.transportSettings.plaintext
(boolean)
Use plaintext protocol for health checks. Set to
true to force HTTP health checks even for HTTPS backends.
Example:
true
|
gwin.yandex.cloud/rules.backends.hc.transportSettings.tls.sni
(string)
Server Name Indication (SNI) for health check TLS connections.
Example:
health.example.com
|
gwin.yandex.cloud/rules.backends.hc.transportSettings.tls.trustedCA.id
(string)
Cloud certificate ID for health check TLS validation.
Example:
health-cert-123
|
gwin.yandex.cloud/rules.backends.hc.transportSettings.tls.trustedCA.bytes
(string)
X.509 certificate contents in PEM format for health check TLS validation.
Example:
-----BEGIN CERTIFICATE-----...
Backend TLS configuration
|Annotation and description
|
gwin.yandex.cloud/rules.backends.tls.sni
(string)
Server Name Indication (SNI) for TLS connections to backends.
Example:
backend.example.com
|
gwin.yandex.cloud/rules.backends.tls.trustedCA.id
(string)
Cloud certificate ID for backend TLS validation.
Example:
cert-123456
|
gwin.yandex.cloud/rules.backends.tls.trustedCA.bytes
(string)
X.509 certificate contents in PEM format for backend TLS validation.
Example:
-----BEGIN CERTIFICATE-----...
Stream backend configuration
|Annotation and description
|
gwin.yandex.cloud/rules.backends.stream.enableProxy
(boolean)
Enable proxy protocol for stream backends.
Example:
true
|
gwin.yandex.cloud/rules.backends.stream.keepConnectionsOnHostHealthFailure
(boolean)
Keep connections when backend host becomes unhealthy.
Example:
false
Session affinity
|Annotation and description
|
gwin.yandex.cloud/rules.sessionAffinity.header.name
(string)
HTTP header name for session affinity.
Example:
X-Session-ID
|
gwin.yandex.cloud/rules.sessionAffinity.cookie.name
(string)
Cookie name for session affinity.
Example:
session
|
gwin.yandex.cloud/rules.sessionAffinity.cookie.ttl
(duration)
Cookie TTL for session affinity.
Example:
3600s
|
gwin.yandex.cloud/rules.sessionAffinity.sourceIP
(boolean)
Use source IP for session affinity.
Example:
true
Route configuration
|Annotation and description
|
gwin.yandex.cloud/rules.timeout
(duration)
Overall timeout for HTTP connection between load balancer and backend. The maximum time the connection is kept alive, regardless of data transfer. Default: 60s. On timeout, returns UNAVAILABLE status. NOTE: In HTTPRoute you can use rules[].timeouts.backendRequest field instead, it overrides annotation value.
Example:
60s
|
gwin.yandex.cloud/rules.idleTimeout
(duration)
Idle timeout for HTTP connection.
Example:
300s
|
gwin.yandex.cloud/rules.httpUpgradeTypes
(comma separated strings)
Supported HTTP Upgrade header values.
Example:
websocket
Security configuration
|Annotation and description
|
gwin.yandex.cloud/rules.securityProfileID
(string)
Security profile ID for route-level protection.
Example:
security-profile-1
|
gwin.yandex.cloud/hosts.securityProfileID
(string)
Security profile ID for host-level protection.
Example:
host-security-profile-1
Rate limiting
|Annotation and description
|
gwin.yandex.cloud/hosts.rateLimit.allRequests.perSecond
(number)
Rate limit for all requests per second.
Example:
100
|
gwin.yandex.cloud/hosts.rateLimit.allRequests.perMinute
(number)
Rate limit for all requests per minute.
Example:
6000
|
gwin.yandex.cloud/hosts.rateLimit.requestsPerIP.perSecond
(number)
Rate limit per IP address per second.
Example:
10
|
gwin.yandex.cloud/hosts.rateLimit.requestsPerIP.perMinute
(number)
Rate limit per IP address per minute.
Example:
600
RBAC configuration
RBAC allows controlling access to routes or hosts based on request attributes.
Annotations follow the pattern:
gwin.yandex.cloud/{resource}.rbac.principals.{principal-group}.{principal}.{rule-type}
Where:
{resource}— resource type (
rules,
hosts);
{principal-group}— logical group of checks (e.g.
admin);
{principal}— specific principal identifier (e.g.
check-token);
{rule-type}— matching rule type (
header,
ip, etc.).
Combination Rules
- All checks within the same principal group are combined with AND logic.
- Different principal groups are combined with OR logic.
|Annotation and description
|
gwin.yandex.cloud/rules.rbac.action
(string)
Action when principals match (ALLOW/DENY) for route access control.
Example:
ALLOW
|
gwin.yandex.cloud/rules.rbac.principals.{group}.{principal}.header.name
(string)
Header name to match for route RBAC.
Example:
X-Api-Token
|
gwin.yandex.cloud/rules.rbac.principals.{group}.{principal}.header.exact
(string)
Exact header value match for route RBAC.
Example:
admin123
|
gwin.yandex.cloud/rules.rbac.principals.{group}.{principal}.header.regex
(string)
Regex pattern for header value match for route RBAC.
Example:
^admin.*
|
gwin.yandex.cloud/rules.rbac.principals.{group}.{principal}.header.prefix
(string)
Header value prefix match for route RBAC.
Example:
Bearer
|
gwin.yandex.cloud/rules.rbac.principals.{group}.{principal}.ip.remoteIp
(string)
IP address or CIDR block for route RBAC.
Example:
10.0.0.0/8
|
gwin.yandex.cloud/rules.rbac.principals.{group}.{principal}.any
(boolean)
Match any request for route RBAC.
Example:
true
|
gwin.yandex.cloud/hosts.rbac.action
(string)
Action when principals match (ALLOW/DENY) for host access control.
Example:
DENY
Rule-specific configuration
Примечание
Any
rules option can be applied to a specific rule by prefixing with
rule.{rule-name}.
For example:
gwin.yandex.cloud/rule.api-rule.backends.balancing.mode: "LEAST_REQUEST".
|Annotation and description
|
gwin.yandex.cloud/rule.{rule-name}.backends.balancing.mode
(string)
Load balancing mode for specific rule.
Example:
LEAST_REQUEST
|
gwin.yandex.cloud/rule.{rule-name}.timeout
(duration)
Timeout for specific rule.
Example:
30s
|
gwin.yandex.cloud/rule.{rule-name}.idleTimeout
(duration)
Idle timeout for specific rule.
Example:
120s
HTTPRouteSpec
HTTPRoute specification defines the desired state of HTTPRoute.
Appears in: HTTPRoute
|Field
|Description
|parentRefs
|[]ParentReference
References to Gateway resources that this HTTPRoute should attach to.
|hostnames
|[]string
Hostnames that should match against the HTTP Host header.
|rules
|[]HTTPRouteRule
Rules for routing HTTP requests.
ParentReference
Reference to a Gateway resource that this route should attach to.
Appears in: HTTPRouteSpec
|Field
|Description
|group
|string
API group of the parent resource.
Example:
gateway.networking.k8s.io
|kind
|string
Kind of the parent resource.
Example:
Gateway
|namespace
|string
Namespace of the parent resource.
Example:
gateway-ns
|name
|string
Name of the parent resource.
Example:
example-gateway
|sectionName
|string
Name of the specific listener to attach to.
Example:
http-listener
|port
|int32
Port number of the listener to attach to.
Example:
80
HTTPRouteRule
HTTPRouteRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to an API object (backendRefs).
Appears in: HTTPRouteSpec
|Field
|Description
|name
|string
Name of the route rule. Must be unique within a Route if set.
Example:
api-rule
|matches
|[]HTTPRouteMatch
Conditions required for a request to match this rule.
|filters
|[]HTTPRouteFilter
Filters to modify requests before forwarding to backends.
|backendRefs
|[]HTTPBackendRef
Backend services to route requests to.
|timeouts
|HTTPRouteTimeouts
Timeout configuration for this rule.
HTTPRouteMatch
HTTPRouteMatch defines the predicate used to match requests to a given action. Multiple match types are ANDed together.
Appears in: HTTPRouteRule
|Field
|Description
|path
|HTTPPathMatch
HTTP request path matcher.
|headers
|[]HTTPHeaderMatch
HTTP request header matchers.
|queryParams
|[]HTTPQueryParamMatch
HTTP query parameter matchers.
|method
|string
HTTP method to match.
Example:
GET,
POST,
PUT.
HTTPPathMatch
HTTPPathMatch describes how to select a HTTP route by matching the HTTP request path.
Appears in: HTTPRouteMatch
|Field
|Description
|type
|string
Path match type.
Exact for exact path match,
PathPrefix for path prefix match.
Example:
Exact,
PathPrefix.
|value
|string
Path value to match against.
Example:
/api/v1,
/.
HTTPRouteFilter
HTTPRouteFilter defines processing steps that must be completed during the request or response lifecycle.
Appears in: HTTPRouteRule, HTTPBackendRef
|Field
|Description
|type
|string
Filter type. Supported:
RequestHeaderModifier,
ResponseHeaderModifier,
RequestRedirect,
URLRewrite
Example:
RequestHeaderModifier
|requestHeaderModifier
|HTTPHeaderFilter
Request header modification configuration.
|responseHeaderModifier
|HTTPHeaderFilter
Response header modification configuration.
|requestRedirect
|HTTPRequestRedirectFilter
Request redirect configuration.
|urlRewrite
|HTTPURLRewriteFilter
URL rewrite configuration.
HTTPHeaderFilter
HTTPHeaderFilter defines configuration for header modification filters (both RequestHeaderModifier and ResponseHeaderModifier).
Appears in: HTTPRouteFilter
|Field
|Description
|set
|[]HTTPHeader
Headers to set, replacing any existing values.
|add
|[]HTTPHeader
Headers to add to the request/response.
|remove
|[]string
Header names to remove from the request/response.
HTTPRequestRedirectFilter
HTTPRequestRedirectFilter defines configuration for the RequestRedirect filter.
Appears in: HTTPRouteFilter
|Field
|Description
|scheme
|string
Scheme to redirect to.
Example:
https
|hostname
|string
Hostname to redirect to.
Example:
secure.example.com
|path
|HTTPPathModifier
Path modification for redirect.
|port
|int32
Port to redirect to.
Example:
443
|statusCode
|int
HTTP status code for redirect.
Example:
301,
302.
HTTPPathModifier
HTTPPathModifier defines configuration for path modification in redirects.
Appears in: HTTPRequestRedirectFilter
|Field
|Description
|type
|string
Path modification type.
ReplaceFullPath or
ReplacePrefixMatch.
Example:
ReplaceFullPath
|replaceFullPath
|string
Complete path replacement.
Example:
/v2/api
|replacePrefixMatch
|string
Path prefix replacement.
Example:
/api/v2
HTTPBackendRef
HTTPBackendRef defines how an HTTPRoute forwards an HTTP request.
Service or
YCStorageBucket can be used as a backend.
Appears in: HTTPRouteRule
|Field
|Description
|group
|string
API group of the backend resource.
Example:
"",
gwin.yandex.cloud.
|kind
|string
Kind of the backend resource.
Example:
Service,
YCStorageBucket.
|name
|string
Name of the backend resource.
Example:
api-service
|namespace
|string
Namespace of the backend resource.
Example:
api-ns
|port
|int32
Port of the backend service (for
Service kind only).
Example:
8080
|weight
|int32
Weight for traffic distribution between backends.
Example:
80
HTTPRouteTimeouts
HTTPRouteTimeouts defines timeouts that can be configured for an HTTPRoute.
Appears in: HTTPRouteRule
|Field
|Description
|backendRequest
|string
Maximum duration for a request from balancer to a backend.
Example:
25s