ServicePolicy
ServicePolicy is a Gwin custom resource for configuring Service-specific policies. It allows you to configure how Kubernetes Services are used as ALB targets, controlling target selection, addressing, and zone matching.
ServicePolicy provides the same functionality as Service annotations but through spec fields instead of annotations, offering better validation and type safety.
Cheatsheet
NOTE: Specification provided below is not valid configuration.
It's just demonstration of all ServicePolicy fields.
apiVersion: gwin.yandex.cloud/v1
kind: ServicePolicy
metadata:
name: example-service-policy
namespace: example-ns
spec:
# Target selection - policy applies to services matching these criteria
targetRefs:
- group: ""
kind: Service
name: my-service # specific service by name
selector:
matchLabels:
app: my-app # services with these labels
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
# Service target configuration
policy:
targets:
type: Node # Node or Pod targets
ipFamily: IPv4 # IP family for targets
cidrs: ["10.0.0.0/8", "172.16.0.0/12"] # address filtering
albZoneMatch: true # zone matching
node:
onlyWithPods: true # only nodes with pods
addressType: InternalIP # address type
| Field | Description |
|---|---|
| metadata | ServicePolicyMeta Standard Kubernetes metadata |
| spec | ServicePolicySpec ServicePolicy specification |
| status | ServicePolicyStatus ServicePolicy status |
ServicePolicySpec
Appears in: ServicePolicy
The policy is restricted to resources within the same namespace.
When determining which resources the policy applies to, the following rules are used:
- If both TargetRefs and Selector are specified, a resource must match both criteria to be affected by the policy.
- If neither TargetRefs nor Selector is specified, the policy applies to all resources within the same namespace.
| Field | Description |
|---|---|
| targetRefs | []LocalObjectReference References to Service resources that this policy should apply to |
| selector | LabelSelector Label selector for Service resources that this policy should apply to |
| policy | Service Service-specific configuration |
LocalObjectReference
Reference to a local Kubernetes object.
Appears in: ServicePolicySpec
| Field | Description |
|---|---|
| group | string API group of the target resource Example: "" |
| kind | string Kind of the target resource Example: Service |
| name | string Name of the target resource Example: my-service |
LabelSelector
Label selector for selecting resources by labels.
Appears in: ServicePolicySpec
| Field | Description |
|---|---|
| matchLabels | map[string]string Map of key-value pairs for exact label matching Example: app: my-service |
| matchExpressions | []LabelSelectorRequirement List of label selector requirements |
LabelSelectorRequirement
Label selector requirement for advanced label matching.
Appears in: LabelSelector
| Field | Description |
|---|---|
| key | string Label key that the selector applies to Example: environment |
| operator | string Operator for the requirement. Options: In, NotIn, Exists, DoesNotExist Example: In |
| values | []string Array of string values for In and NotIn operators Example: ["production", "staging"] |
Service
Service policy configuration that applies to Service targets.
Appears in: ServicePolicySpec
| Field | Description |
|---|---|
| targets | ServiceTargets Configures how ALB should select and address Service endpoints |
ServiceTargets
Appears in: Service
ServiceTargets defines how ALB targets are selected and addressed for a Service. It controls whether to use Node or Pod endpoints, network restrictions, and zone matching.
| Field | Description |
|---|---|
| type | string Specifies whether to use Node or Pod endpoints as ALB targets. Node uses cluster nodes as targets (default), Pod uses individual pods as targets Example: Node |
| ipFamily | string Specifies which IP family to use for target addresses. Currently only IPv4 is supported Example: IPv4 |
| cidrs | []string Helps select appropriate target addresses when targets have multiple IP addresses. Only addresses within these CIDR blocks will be used for ALB targets Example: ["10.0.0.0/8", "172.16.0.0/12"] |
| albZoneMatch | boolean Controls whether to verify that targets are located in the same zones as the ALB. When true (default), only targets in ALB zones are included Example: true |
| node | ServiceTargetsNode Additional configuration when type is "Node". This field is ignored when type is "Pod" |
ServiceTargetsNode
Appears in: ServiceTargets
ServiceTargetsNode contains configuration specific to Node-type targets. This configuration is only used when ServiceTargets.Type is "Node".
| Field | Description |
|---|---|
| onlyWithPods | boolean Controls whether to include only nodes that have pods for this service. When true (default), only nodes running pods that match the service selector are used as targets Example: true |
| addressType | string Specifies which node address type to use for ALB targets. InternalIP uses node's internal IP address (default), ExternalIP uses node's external IP address Example: InternalIP |
ServicePolicyStatus
Appears in: ServicePolicy
| Field | Description |
|---|---|
| conditions | []Condition List of conditions representing the current state of the ServicePolicy |
| attachedServices | int32 Number of currently attached services |