Extension APIs
7 minute read
Packages
gateway.envoyproxy.io/v1alpha1
Package v1alpha1 contains API schema definitions for the gateway.envoyproxy.io API group.
Resource Types
AuthenticationFilter
| Field | Description |
|---|---|
apiVersion string | gateway.envoyproxy.io/v1alpha1 |
kind string | AuthenticationFilter |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec AuthenticationFilterSpec | Spec defines the desired state of the AuthenticationFilter type. |
AuthenticationFilterSpec
AuthenticationFilterSpec defines the desired state of the AuthenticationFilter type.
Appears in:
| Field | Description |
|---|---|
type AuthenticationFilterType | Type defines the type of authentication provider to use. Supported provider types are “JWT”. |
jwtProviders JwtAuthenticationFilterProvider array | JWT defines the JSON Web Token (JWT) authentication provider type. When multiple jwtProviders are specified, the JWT is considered valid if any of the providers successfully validate the JWT. For additional details, see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
AuthenticationFilterType
Underlying type: string
AuthenticationFilterType is a type of authentication provider.
Appears in:
ClaimToHeader
ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
Appears in:
| Field | Description |
|---|---|
header string | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
claim string | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type (eg. “claim.nested.key”, “sub”). The nested claim name must use dot “.” to separate the JSON name path. |
EnvoyJSONPatchConfig
EnvoyJSONPatchConfig defines the configuration for patching a Envoy xDS Resource using JSONPatch semantic
Appears in:
| Field | Description |
|---|---|
type EnvoyResourceType | Type is the typed URL of the Envoy xDS Resource |
name string | Name is the name of the resource |
operation JSONPatchOperation | Patch defines the JSON Patch Operation |
EnvoyPatchPolicy
EnvoyPatchPolicy allows the user to modify the generated Envoy xDS resources by Envoy Gateway using this patch API
Appears in:
| Field | Description |
|---|---|
apiVersion string | gateway.envoyproxy.io/v1alpha1 |
kind string | EnvoyPatchPolicy |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec EnvoyPatchPolicySpec | Spec defines the desired state of EnvoyPatchPolicy. |
EnvoyPatchPolicyList
EnvoyPatchPolicyList contains a list of EnvoyPatchPolicy resources.
| Field | Description |
|---|---|
apiVersion string | gateway.envoyproxy.io/v1alpha1 |
kind string | EnvoyPatchPolicyList |
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. |
items EnvoyPatchPolicy array |
EnvoyPatchPolicySpec
EnvoyPatchPolicySpec defines the desired state of EnvoyPatchPolicy.
Appears in:
| Field | Description |
|---|---|
type EnvoyPatchType | Type decides the type of patch. Valid EnvoyPatchType values are “JSONPatch”. |
jsonPatches EnvoyJSONPatchConfig array | JSONPatch defines the JSONPatch configuration. |
targetRef PolicyTargetReference | TargetRef is the name of the Gateway API resource this policy is being attached to. Currently only attaching to Gateway is supported This Policy and the TargetRef MUST be in the same namespace for this Policy to have effect and be applied to the Gateway TargetRef |
priority integer | Priority of the EnvoyPatchPolicy. If multiple EnvoyPatchPolicies are applied to the same TargetRef, they will be applied in the ascending order of the priority i.e. int32.min has the highest priority and int32.max has the lowest priority. Defaults to 0. |
EnvoyPatchType
Underlying type: string
EnvoyPatchType specifies the types of Envoy patching mechanisms.
Appears in:
EnvoyResourceType
Underlying type: string
EnvoyResourceType specifies the type URL of the Envoy resource.
Appears in:
GlobalRateLimit
GlobalRateLimit defines global rate limit configuration.
Appears in:
| Field | Description |
|---|---|
rules RateLimitRule array | Rules are a list of RateLimit selectors and limits. Each rule and its associated limit is applied in a mutually exclusive way i.e. if multiple rules get selected, each of their associated limits get applied, so a single traffic request might increase the rate limit counters for multiple rules if selected. |
HeaderMatch
HeaderMatch defines the match attributes within the HTTP Headers of the request.
Appears in:
| Field | Description |
|---|---|
type HeaderMatchType | Type specifies how to match against the value of the header. |
name string | Name of the HTTP header. |
value string | Value within the HTTP header. Due to the case-insensitivity of header names, “foo” and “Foo” are considered equivalent. Do not set this field when Type=“Distinct”, implying matching on any/all unique values within the header. |
HeaderMatchType
Underlying type: string
HeaderMatchType specifies the semantics of how HTTP header values should be compared. Valid HeaderMatchType values are “Exact”, “RegularExpression”, and “Distinct”.
Appears in:
JSONPatchOperation
JSONPatchOperation defines the JSON Patch Operation as defined in https://datatracker.ietf.org/doc/html/rfc6902
Appears in:
| Field | Description |
|---|---|
op JSONPatchOperationType | Op is the type of operation to perform |
path string | Path is the location of the target document/field where the operation will be performed Refer to https://datatracker.ietf.org/doc/html/rfc6901 for more details. |
value JSON | Value is the new value of the path location. |
JSONPatchOperationType
Underlying type: string
JSONPatchOperationType specifies the JSON Patch operations that can be performed.
Appears in:
JwtAuthenticationFilterProvider
JwtAuthenticationFilterProvider defines the JSON Web Token (JWT) authentication provider type and how JWTs should be verified:
Appears in:
| Field | Description |
|---|---|
name string | Name defines a unique name for the JWT provider. A name can have a variety of forms, including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels. |
issuer string | Issuer is the principal that issued the JWT and takes the form of a URL or email address. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.1 for URL format and https://rfc-editor.org/rfc/rfc5322.html for email format. If not provided, the JWT issuer is not checked. |
audiences string array | Audiences is a list of JWT audiences allowed access. For additional details, see https://tools.ietf.org/html/rfc7519#section-4.1.3. If not provided, JWT audiences are not checked. |
remoteJWKS RemoteJWKS | RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint. |
claimToHeaders ClaimToHeader array | ClaimToHeaders is a list of JWT claims that must be extracted into HTTP request headers For examples, following config: The claim must be of type; string, int, double, bool. Array type claims are not supported |
RateLimitFilter
RateLimitFilter allows the user to limit the number of incoming requests to a predefined value based on attributes within the traffic flow.
| Field | Description |
|---|---|
apiVersion string | gateway.envoyproxy.io/v1alpha1 |
kind string | RateLimitFilter |
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. |
spec RateLimitFilterSpec | Spec defines the desired state of RateLimitFilter. |
RateLimitFilterSpec
RateLimitFilterSpec defines the desired state of RateLimitFilter.
Appears in:
| Field | Description |
|---|---|
type RateLimitType | Type decides the scope for the RateLimits. Valid RateLimitType values are “Global”. |
global GlobalRateLimit | Global defines global rate limit configuration. |
RateLimitRule
RateLimitRule defines the semantics for matching attributes from the incoming requests, and setting limits for them.
Appears in:
| Field | Description |
|---|---|
clientSelectors RateLimitSelectCondition array | ClientSelectors holds the list of select conditions to select specific clients using attributes from the traffic flow. All individual select conditions must hold True for this rule and its limit to be applied. If this field is empty, it is equivalent to True, and the limit is applied. |
limit RateLimitValue | Limit holds the rate limit values. This limit is applied for traffic flows when the selectors compute to True, causing the request to be counted towards the limit. The limit is enforced and the request is ratelimited, i.e. a response with 429 HTTP status code is sent back to the client when the selected requests have reached the limit. |
RateLimitSelectCondition
RateLimitSelectCondition specifies the attributes within the traffic flow that can be used to select a subset of clients to be ratelimited. All the individual conditions must hold True for the overall condition to hold True.
Appears in:
| Field | Description |
|---|---|
headers HeaderMatch array | Headers is a list of request headers to match. Multiple header values are ANDed together, meaning, a request MUST match all the specified headers. |
sourceIP string | Deprecated: Use SourceCIDR instead. |
sourceCIDR SourceMatch | SourceCIDR is the client IP Address range to match on. |
RateLimitType
Underlying type: string
RateLimitType specifies the types of RateLimiting.
Appears in:
RateLimitUnit
Underlying type: string
RateLimitUnit specifies the intervals for setting rate limits. Valid RateLimitUnit values are “Second”, “Minute”, “Hour”, and “Day”.
Appears in:
RateLimitValue
RateLimitValue defines the limits for rate limiting.
Appears in:
| Field | Description |
|---|---|
requests integer | |
unit RateLimitUnit |
RemoteJWKS
RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
Appears in:
| Field | Description |
|---|---|
uri string | URI is the HTTPS URI to fetch the JWKS. Envoy’s system trust bundle is used to validate the server certificate. |
SourceMatch
Appears in:
| Field | Description |
|---|---|
type SourceMatchType | |
value string | Value is the IP CIDR that represents the range of Source IP Addresses of the client. These could also be the intermediate addresses through which the request has flown through and is part of the X-Forwarded-For header. For example, 192.168.0.1/32, 192.168.0.0/24, 001:db8::/64. |
SourceMatchType
Underlying type: string
Appears in:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.