gateway.networking.k8s.io / v1alpha3 / BackendTLSPolicy

• string

  .apiVersion

  APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

• string

  .kind

  Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

• object

  .metadata

• object required

  .spec

  Spec defines the desired state of BackendTLSPolicy.

• object

  .spec .options

  Options are a list of key/value pairs to enable extended TLS configuration for each implementation. For example, configuring the minimum TLS version or supported cipher suites.

  A set of common keys MAY be defined by the API in the future. To avoid any ambiguity, implementation-specific definitions MUST use domain-prefixed names, such as example.com/my-custom-option. Un-prefixed names are reserved for key names defined by Gateway API.

  Support: Implementation-specific

• array required

  .spec .targetRefs

  TargetRefs identifies an API object to apply the policy to. Only Services have Extended support. Implementations MAY support additional objects, with Implementation Specific support. Note that this config applies to the entire referenced resource by default, but this default may change in the future to provide a more granular application of the policy.

  TargetRefs must be distinct. This means either that:

  • They select different targets. If this is the case, then targetRef entries are distinct. In terms of fields, this means that the multi-part key defined by group, kind, and name must be unique across all targetRef entries in the BackendTLSPolicy.
  • They select different sectionNames in the same target.

  Support: Extended for Kubernetes Service

  Support: Implementation-specific for any other resource

• string required

  .spec .targetRefs[] .group

  Group is the group of the target resource.

• string required

  .spec .targetRefs[] .kind

  Kind is kind of the target resource.

• string required

  .spec .targetRefs[] .name

  Name is the name of the target resource.

• string

  .spec .targetRefs[] .sectionName

  SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following:

  • Gateway: Listener name
  • HTTPRoute: HTTPRouteRule name
  • Service: Port name

  If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a ResolvedRefs or similar Condition in the Policy’s status.

• object required

  .spec .validation

  Validation contains backend TLS validation configuration.

• array

  .spec .validation .caCertificateRefs

  CACertificateRefs contains one or more references to Kubernetes objects that contain a PEM-encoded TLS CA certificate bundle, which is used to validate a TLS handshake between the Gateway and backend Pod.

  If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If CACertificateRefs is empty or unspecified, the configuration for WellKnownCACertificates MUST be honored instead if supported by the implementation.

  References to a resource in a different namespace are invalid for the moment, although we will revisit this in the future.

  A single CACertificateRef to a Kubernetes ConfigMap kind has “Core” support. Implementations MAY choose to support attaching multiple certificates to a backend, but this behavior is implementation-specific.

  Support: Core - An optional single reference to a Kubernetes ConfigMap, with the CA certificate in a key named ca.crt.

  Support: Implementation-specific (More than one reference, or other kinds of resources).

• string required

  .spec .validation .caCertificateRefs[] .group

  Group is the group of the referent. For example, “gateway.networking.k8s.io”. When unspecified or empty string, core API group is inferred.

• string required

  .spec .validation .caCertificateRefs[] .kind

  Kind is kind of the referent. For example “HTTPRoute” or “Service”.

• string required

  .spec .validation .caCertificateRefs[] .name

  Name is the name of the referent.

• string required

  .spec .validation .hostname

  Hostname is used for two purposes in the connection between Gateways and backends:

  1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066).
  2. Hostname MUST be used for authentication and MUST match the certificate served by the matching backend, unless SubjectAltNames is specified. authentication and MUST match the certificate served by the matching backend.

  Support: Core

• array

  .spec .validation .subjectAltNames

  SubjectAltNames contains one or more Subject Alternative Names. When specified the certificate served from the backend MUST have at least one Subject Alternate Name matching one of the specified SubjectAltNames.

  Support: Extended

• string

  .spec .validation .subjectAltNames[] .hostname

  Hostname contains Subject Alternative Name specified in DNS name format. Required when Type is set to Hostname, ignored otherwise.

  Support: Core

• string required

  .spec .validation .subjectAltNames[] .type

  Type determines the format of the Subject Alternative Name. Always required.

  Support: Core

• string

  .spec .validation .subjectAltNames[] .uri

  URI contains Subject Alternative Name specified in a full URI format. It MUST include both a scheme (e.g., “http” or “ftp”) and a scheme-specific-part. Common values include SPIFFE IDs like “spiffe://mycluster.example.com/ns/myns/sa/svc1sa”. Required when Type is set to URI, ignored otherwise.

  Support: Core

• string

  .spec .validation .wellKnownCACertificates

  WellKnownCACertificates specifies whether system CA certificates may be used in the TLS handshake between the gateway and backend pod.

  If WellKnownCACertificates is unspecified or empty (“”), then CACertificateRefs must be specified with at least one entry for a valid configuration. Only one of CACertificateRefs or WellKnownCACertificates may be specified, not both. If an implementation does not support the WellKnownCACertificates field or the value supplied is not supported, the Status Conditions on the Policy MUST be updated to include an Accepted: False Condition with Reason: Invalid.

  Support: Implementation-specific

• object

  .status

  Status defines the current state of BackendTLSPolicy.

• array required

  .status .ancestors

  Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified.

  Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status.

  Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for.

  Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined.

  A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors.

  If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy.

• object required

  .status .ancestors[] .ancestorRef

  AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of.

• string

  .status .ancestors[] .ancestorRef .group

  Group is the group of the referent. When unspecified, “gateway.networking.k8s.io” is inferred. To set the core API group (such as for a “Service” kind referent), Group must be explicitly set to “” (empty string).

  Support: Core

• string

  .status .ancestors[] .ancestorRef .kind

  Kind is kind of the referent.

  There are two kinds of parent resources with “Core” support:

  • Gateway (Gateway conformance profile)
  • Service (Mesh conformance profile, ClusterIP Services only)

  Support for other resources is Implementation-Specific.

• string required

  .status .ancestors[] .ancestorRef .name

  Name is the name of the referent.

  Support: Core

• string

  .status .ancestors[] .ancestorRef .namespace

  Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route.

  Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference.

  ParentRefs from a Route to a Service in the same namespace are “producer” routes, which apply default routing rules to inbound connections from any namespace to the Service.

  ParentRefs from a Route to a Service in a different namespace are “consumer” routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route.

  Support: Core

• integer

  .status .ancestors[] .ancestorRef .port

  Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource.

  When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It’s not recommended to set Port unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values.

  When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values.

  Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted.

  For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway.

  Support: Extended

• string

  .status .ancestors[] .ancestorRef .sectionName

  SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following:

  • Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values.
  • Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values.

  Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted.

  When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway.

  Support: Core

• array

  .status .ancestors[] .conditions

  Conditions describes the status of the Policy with respect to the given Ancestor.

• string required

  .status .ancestors[] .conditions[] .lastTransitionTime

  lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

• string required

  .status .ancestors[] .conditions[] .message

  message is a human readable message indicating details about the transition. This may be an empty string.

• integer

  .status .ancestors[] .conditions[] .observedGeneration

  observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

• string required

  .status .ancestors[] .conditions[] .reason

  reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

• string required

  .status .ancestors[] .conditions[] .status

  status of the condition, one of True, False, Unknown.

• string required

  .status .ancestors[] .conditions[] .type

  type of condition in CamelCase or in foo.example.com/CamelCase.

• string required

  .status .ancestors[] .controllerName

  ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass.

  Example: “example.net/gateway-controller”.

  The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).

  Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary.