GatewayPolicy
GatewayPolicy is a Gwin custom resource for configuring gateway-level policies in Yandex Application Load Balancer. It allows you to define load balancer settings, logging configuration, autoscaling, listener settings, and HTTP router options that apply to Gateway resources.
- Cheatsheet
- GatewayPolicySpec
- GatewayPolicyStatus
Cheatsheet
Specification provided below is not valid configuration.
It's just demonstration of all
GatewayPolicy fields.
apiVersion: gwin.yandex.cloud/v1
kind: GatewayPolicy
metadata:
name: example-gateway-policy
namespace: example-ns
spec:
# Target Gateway resources
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: example-gateway
namespace: gateway-ns
# Or use label selector
selector:
matchLabels:
app: my-gateway
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
# Gateway policy configuration
policy:
# Load balancer configuration
subnets: ["subnet-id-1", "subnet-id-2"] # where to place balancer
securityGroups: ["sg-id-1", "sg-id-2"] # network access control
allowZonalShift: true # enable failover between zones
# Cloud Logging
logs:
logGroupID: "log-group-id-1" # where to send logs
disable: false # enable logging
discardRule:
rule1: # custom rule name
httpCodes: [404, 500] # skip these status codes
httpCodeIntervals: ["HTTP_4XX", "HTTP_5XX"] # skip error ranges
grpcCodes: ["INTERNAL", "UNIMPLEMENTED"] # skip gRPC errors
discardPercent: 10 # drop 10% of logs
# Autoscaling
autoScale:
minZoneSize: 2 # min instances per zone
maxSize: 10 # max total instances
# Zone traffic control
zone:
ru-central1-a:
receiveTraffic: false # disable this zone
ru-central1-b:
receiveTraffic: true # enable this zone
# Listener configuration (applies to all listeners)
listeners:
http:
protocolSettings:
allowHTTP10: true # support old HTTP
http2Options:
maxConcurrentStreams: 100 # limit connections
stream:
idleTimeout: "300s" # close idle connections
# HTTP router configuration
securityProfileID: "security-profile-id" # WAF protection
rbac:
action: "ALLOW" # access control policy
principals:
admin: # principal group
check-token: # principal name
header:
name: "X-Api-Token"
exact: "admin123"
check-ip:
ip:
remoteIp: "10.0.0.0/8"
# Specific listener configuration
listener:
http-listener: # listener name
http:
protocolSettings:
allowHTTP10: true # per-listener HTTP setting
stream-listener:
stream:
idleTimeout: "300s" # per-listener timeout
status:
conditions:
- type: "Ready"
status: "True"
reason: "PolicyApplied"
attachedGateways: 2
|Field
|Description
|metadata
|ObjectMeta
Standard Kubernetes metadata.
|spec
|GatewayPolicySpec
Gateway policy specification.
|status
|GatewayPolicyStatus
Gateway policy status.
GatewayPolicySpec
GatewayPolicySpec defines the desired state of GatewayPolicy.
Appears in: GatewayPolicy
|Field
|Description
|targetRefs
|[]LocalObjectReference
References to Gateway resources that this policy should apply to.
|selector
|LabelSelector
Label selector for Gateway resources that this policy should apply to.
|policy
|Gateway
Gateway policy configuration.
LocalObjectReference
Reference to a Kubernetes resource in the same namespace.
Appears in: GatewayPolicySpec
|Field
|Description
|group
|string
API group of the referenced resource.
Example:
gateway.networking.k8s.io
|kind
|string
Kind of the referenced resource.
Example:
Gateway
|name
|string
Name of the referenced resource.
Example:
my-gateway
LabelSelector
Label-based selection criteria for resources.
Appears in: GatewayPolicySpec
|Field
|Description
|matchLabels
|map[string]string
Simple label matching requirements.
Example:
app: my-app
|matchExpressions
|[]LabelSelectorRequirement
Advanced label matching expressions.
LabelSelectorRequirement
Advanced label matching expression with operator and values.
Appears in: LabelSelector
|Field
|Description
|key
|string
Label key to match.
Example:
app
|operator
|string
Matching operator.
Example:
In,
NotIn,
Exists.
|values
|[]string
Values to match against.
Example:
["my-app"]
Gateway
Gateway policy configuration that applies to load balancer and listener settings.
Appears in: GatewayPolicySpec
|Field
|Description
|subnets
|[]string
Subnets of the zones where load balancer will be instantiated.
Example:
["subnet-id-1", "subnet-id-2"]
|securityGroups
|[]string
Security groups of load balancer.
Example:
["sg-id-1", "sg-id-2"]
|logs
|LogOptions
Cloud Logging settings of the application load balancer.
|autoScale
|AutoScalePolicy
Autoscaling settings of the application load balancer.
|zone
|map[string]BalancerZone
Zone-specific traffic control settings.
|allowZonalShift
|bool
Specifies whether application load balancer is available to zonal shift.
Example:
true
|listener
|map[string]GatewayListener
Specific listener configuration by listener name.
|listeners
|GatewayListener
Common listener configuration for all listeners.
AutoScalePolicy
Scaling settings of the application load balancer. The scaling settings relate to a special internal instance group which facilitates the balancer's work. Instances in this group are called resource units.
Appears in: Balancer
|Field
|Description
|minZoneSize
|int
Lower limit for the number of resource units in each availability zone. The minimum value is 2.
Example:
2
|maxSize
|int
Upper limit for the total number of resource units across all availability zones. If the value is 0, there is no upper limit.
Example:
10
BalancerZone
Zone-specific traffic control settings.
Appears in: Balancer
|Field
|Description
|receiveTraffic
|bool
Enables the load balancer node in the specified availability zone.
Example:
true
LogOptions
Cloud logging settings of the application load balancer.
Appears in: Balancer
|Field
|Description
|logGroupID
|string
Cloud Logging log group ID to store access logs. If not set then logs will be stored in default log group for the folder where load balancer located.
Example:
log-group-id-1
|disable
|bool
Do not send logs to Cloud Logging log group.
Example:
false
|discardRule
|map[string]LogDiscardRule
Log discard rules where each key represents a user-defined ID.
LogDiscardRule
Log discard rule configuration.
Appears in: LogOptions
|Field
|Description
|httpCodes
|[]int
HTTP codes that should be discarded.
Example:
[404, 500]
|httpCodeIntervals
|[]string
Groups of HTTP codes like 4xx that should be discarded.
Example:
["HTTP_4XX", "HTTP_5XX"]
|grpcCodes
|[]string
gRPC codes that should be discarded.
Example:
["INTERNAL", "UNIMPLEMENTED"]
|discardPercent
|int
Percent of logs to be discarded: 0 — keep all, 100 — discard all.
Example:
10
GatewayListener
Gateway listener configuration that combines listener and HTTP router settings.
Appears in: Gateway
|Field
|Description
|http
|ListenerHTTP
HTTP specific listener settings.
|stream
|ListenerStream
Stream specific listener settings.
|securityProfileID
|string
Security profile ID that applies to all requests via HTTP router.
Example:
security-profile-id
|rbac
|RBAC
RBAC access control configuration.
Listener
Listener protocol-specific settings.
Appears in: GatewayListener
|Field
|Description
|http
|ListenerHTTP
HTTP specific listener settings.
|stream
|ListenerStream
Stream specific listener settings.
ListenerHTTP
HTTP specific listener settings.
Appears in: Listener
|Field
|Description
|protocolSettings
|HTTPProtocolSettings
HTTP protocol configuration.
HTTPProtocolSettings
HTTP protocol configuration settings.
Appears in: ListenerHTTP
|Field
|Description
|allowHTTP10
|bool
Enables support for incoming HTTP/1.0 and HTTP/1.1 requests and disables it for HTTP/2 requests.
Example:
true
|http2Options
|HTTP2Options
HTTP/2 settings. If specified, incoming HTTP/2 requests are supported by the listener.
HTTP2Options
HTTP/2 protocol options.
Appears in: HTTPProtocolSettings
|Field
|Description
|maxConcurrentStreams
|int
Maximum number of concurrent HTTP/2 streams in a connection
Example:
100
ListenerStream
Stream specific listener settings.
Appears in: Listener
|Field
|Description
|idleTimeout
|string
The idle timeout is duration during which no data is transmitted or received on either the upstream or downstream connection.
Example:
300s
RouteOptions
Route options for security and access control.
Appears in: GatewayListener
|Field
|Description
|securityProfileID
|string
Security profile that will take effect to all requests routed via particular route.
Example:
security-profile-id
|rbac
|RBAC
RBAC access control configuration.
RBAC
Role-Based Access Control configuration.
Appears in: RouteOptions
|Field
|Description
|action
|string
The action to take if a principal matches. Enum:
ALLOW,
DENY.
Example:
ALLOW
|principals
|map[string]map[string]Principal
A match occurs when at least one principal group matches the request. Each principal group contains AND conditions.
Principal
Principal configuration for RBAC matching.
Appears in: RBAC
|Field
|Description
|header
|HeaderPrincipal
A header (or pseudo-header such as :path or :method) of the incoming HTTP request.
|ip
|IPPrincipal
A CIDR block or IP that describes the request remote/origin address.
|any
|bool
Match any request.
Example:
true
HeaderPrincipal
Header-based principal matching.
Appears in: Principal
|Field
|Description
|name
|string
The name of the header to match.
Example:
X-Api-Token
|regex
|string
Regular expression match for header value.
Example:
^admin.*
|exact
|string
Exact match for header value.
Example:
admin123
|prefix
|string
Prefix match for header value.
Example:
Bearer
IPPrincipal
IP-based principal matching.
Appears in: Principal
|Field
|Description
|remoteIp
|string
CIDR block or IP address to match.
Example:
10.0.0.0/8
GatewayPolicyStatus
GatewayPolicyStatus defines the observed state of GatewayPolicy.
Appears in: GatewayPolicy
|Field
|Description
|conditions
|[]Condition
Current state conditions of the gateway policy.
|attachedGateways
|int32
Number of currently attached gateways.