GatewayPolicy
GatewayPolicy is a Gwin custom resource for configuring gateway-level policies in Yandex Application Load Balancer. It allows you to define load balancer settings, logging configuration, autoscaling, listener settings, and HTTP router options that apply to Gateway resources.
Cheatsheet
Примечание
Specification provided below is not valid configuration.
It's just demonstration of all GatewayPolicy fields.
apiVersion: gwin.yandex.cloud/v1
kind: GatewayPolicy
metadata:
name: example-gateway-policy
namespace: example-ns
spec:
# Target Gateway resources
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: example-gateway
# Or use label selector
selector:
matchLabels:
app: my-gateway
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
# Gateway policy configuration
policy:
# Load balancer configuration
subnets: ["subnet-id-1", "subnet-id-2"] # where to place balancer
securityGroups: ["sg-id-1", "sg-id-2"] # network access control
allowZonalShift: true # enable failover between zones
# Cloud Logging
logs:
logGroupID: "log-group-id-1" # where to send logs
disable: false # enable logging
discardRule:
rule1: # custom rule name
httpCodes: [404, 500] # skip these status codes
httpCodeIntervals: ["HTTP_4XX", "HTTP_5XX"] # skip error ranges
grpcCodes: ["INTERNAL", "UNIMPLEMENTED"] # skip gRPC errors
discardPercent: 10 # drop 10% of logs
# Autoscaling
autoScale:
minZoneSize: 2 # min instances per zone
maxSize: 10 # max total instances
# Zone traffic control
zone:
ru-central1-a:
receiveTraffic: false # disable this zone
ru-central1-b:
receiveTraffic: true # enable this zone
# Listener configuration (applies to all listeners)
listeners:
http:
protocolSettings:
allowHTTP10: true # support old HTTP
http2Options:
maxConcurrentStreams: 100 # limit connections
stream:
idleTimeout: "300s" # close idle connections
# HTTP router configuration
rbac:
action: "ALLOW" # access control policy
principals:
admin: # principal group
check-token: # principal name
header:
name: "X-Api-Token"
exact: "admin123"
check-ip:
ip:
remoteIp: "10.0.0.0/8"
# Specific listener configuration
listener:
http-listener: # listener name
http:
protocolSettings:
allowHTTP10: true # per-listener HTTP setting
stream-listener:
stream:
idleTimeout: "300s" # per-listener timeout
status:
conditions:
- type: "Ready"
status: "True"
reason: "PolicyApplied"
attachedGateways: 2
| Field | Description |
|---|---|
| metadata | ObjectMeta Standard Kubernetes metadata. |
| spec | GatewayPolicySpec Gateway policy specification. |
| status | GatewayPolicyStatus Gateway policy status. |
GatewayPolicySpec
GatewayPolicySpec defines the desired state of GatewayPolicy.
Appears in: GatewayPolicy
| Field | Description |
|---|---|
| targetRefs | []LocalObjectReference References to Gateway resources that this policy should apply to. |
| selector | LabelSelector Label selector for Gateway resources that this policy should apply to. |
| policy | Gateway Gateway policy configuration. |
LocalObjectReference
Reference to a Kubernetes resource in the same namespace.
Appears in: GatewayPolicySpec
| Field | Description |
|---|---|
| group | string API group of the referenced resource. Example: gateway.networking.k8s.io |
| kind | string Kind of the referenced resource. Example: Gateway |
| name | string Name of the referenced resource. Example: my-gateway |
LabelSelector
Label-based selection criteria for resources.
Appears in: GatewayPolicySpec
| Field | Description |
|---|---|
| matchLabels | map[string]string Simple label matching requirements. Example: app: my-app |
| matchExpressions | []LabelSelectorRequirement Advanced label matching expressions. |
LabelSelectorRequirement
Advanced label matching expression with operator and values.
Appears in: LabelSelector
| Field | Description |
|---|---|
| key | string Label key to match. Example: app |
| operator | string Matching operator. Example: In, NotIn, Exists. |
| values | []string Values to match against. Example: ["my-app"] |
Gateway
Gateway policy configuration that applies to load balancer and listener settings.
Appears in: GatewayPolicySpec
| Field | Description |
|---|---|
| subnets | []string Subnets of the zones where load balancer will be instantiated. Example: ["subnet-id-1", "subnet-id-2"] |
| securityGroups | []string Security groups of load balancer. Example: ["sg-id-1", "sg-id-2"] |
| logs | LogOptions Cloud Logging settings of the application load balancer. |
| autoScale | AutoScalePolicy Autoscaling settings of the application load balancer. |
| zone | map[string]BalancerZone Zone-specific traffic control settings. |
| allowZonalShift | bool Specifies whether application load balancer is available to zonal shift. Example: true |
| listener | map[string]GatewayListener Specific listener configuration by listener name. |
| listeners | GatewayListener Common listener configuration for all listeners. |
AutoScalePolicy
Scaling settings of the application load balancer. The scaling settings relate to a special internal instance group which facilitates the balancer's work. Instances in this group are called resource units.
Appears in: Balancer
| Field | Description |
|---|---|
| minZoneSize | int Lower limit for the number of resource units in each availability zone. The minimum value is 2. Example: 2 |
| maxSize | int Upper limit for the total number of resource units across all availability zones. If the value is 0, there is no upper limit. Example: 10 |
BalancerZone
Zone-specific traffic control settings.
Appears in: Balancer
| Field | Description |
|---|---|
| receiveTraffic | bool Enables the load balancer node in the specified availability zone. Example: true |
LogOptions
Cloud logging settings of the application load balancer.
Appears in: Balancer
| Field | Description |
|---|---|
| logGroupID | string Cloud Logging log group ID to store access logs. If not set then logs will be stored in default log group for the folder where load balancer located. Example: log-group-id-1 |
| disable | bool Do not send logs to Cloud Logging log group. Example: false |
| discardRule | map[string]LogDiscardRule Log discard rules where each key represents a user-defined ID. |
LogDiscardRule
Log discard rule configuration.
Appears in: LogOptions
| Field | Description |
|---|---|
| httpCodes | []int HTTP codes that should be discarded. Example: [404, 500] |
| httpCodeIntervals | []string Groups of HTTP codes like 4xx that should be discarded. Example: ["HTTP_4XX", "HTTP_5XX"] |
| grpcCodes | []string gRPC codes that should be discarded. Example: ["INTERNAL", "UNIMPLEMENTED"] |
| discardPercent | int Percent of logs to be discarded: 0 — keep all, 100 — discard all. Example: 10 |
GatewayListener
Gateway listener configuration that combines listener and HTTP router settings.
Appears in: Gateway
| Field | Description |
|---|---|
| http | ListenerHTTP HTTP specific listener settings. |
| stream | ListenerStream Stream specific listener settings. |
| rbac | RBAC RBAC access control configuration. |
Listener
Listener protocol-specific settings.
Appears in: GatewayListener
| Field | Description |
|---|---|
| http | ListenerHTTP HTTP specific listener settings. |
| stream | ListenerStream Stream specific listener settings. |
ListenerHTTP
HTTP specific listener settings.
Appears in: Listener
| Field | Description |
|---|---|
| protocolSettings | HTTPProtocolSettings HTTP protocol configuration. |
HTTPProtocolSettings
HTTP protocol configuration settings.
Appears in: ListenerHTTP
| Field | Description |
|---|---|
| allowHTTP10 | bool Enables support for incoming HTTP/1.0 and HTTP/1.1 requests and disables it for HTTP/2 requests. Example: true |
| http2Options | HTTP2Options HTTP/2 settings. If specified, incoming HTTP/2 requests are supported by the listener. |
HTTP2Options
HTTP/2 protocol options.
Appears in: HTTPProtocolSettings
| Field | Description |
|---|---|
| maxConcurrentStreams | int Maximum number of concurrent HTTP/2 streams in a connection Example: 100 |
ListenerStream
Stream specific listener settings.
Appears in: Listener
| Field | Description |
|---|---|
| idleTimeout | string The idle timeout is duration during which no data is transmitted or received on either the upstream or downstream connection. Example: 300s |
RouteOptions
Route options for security and access control.
Appears in: GatewayListener
| Field | Description |
|---|---|
| rbac | RBAC RBAC access control configuration. |
RBAC
Role-Based Access Control configuration.
Appears in: RouteOptions
| Field | Description |
|---|---|
| action | string The action to take if a principal matches. Enum: ALLOW, DENY. Example: ALLOW |
| principals | map[string]map[string]Principal A match occurs when at least one principal group matches the request. Each principal group contains AND conditions. |
Principal
Principal configuration for RBAC matching.
Appears in: RBAC
| Field | Description |
|---|---|
| header | HeaderPrincipal A header (or pseudo-header such as :path or :method) of the incoming HTTP request. |
| ip | IPPrincipal A CIDR block or IP that describes the request remote/origin address. |
| any | bool Match any request. Example: true |
HeaderPrincipal
Header-based principal matching.
Appears in: Principal
| Field | Description |
|---|---|
| name | string The name of the header to match. Example: X-Api-Token |
| regex | string Regular expression match for header value. Example: ^admin.* |
| exact | string Exact match for header value. Example: admin123 |
| prefix | string Prefix match for header value. Example: Bearer |
IPPrincipal
IP-based principal matching.
Appears in: Principal
| Field | Description |
|---|---|
| remoteIp | string CIDR block or IP address to match. Example: 10.0.0.0/8 |
GatewayPolicyStatus
GatewayPolicyStatus defines the observed state of GatewayPolicy.
Appears in: GatewayPolicy
| Field | Description |
|---|---|
| conditions | []Condition Current state conditions of the gateway policy. |
| attachedGateways | int32 Number of currently attached gateways. |