Gateway resource fields
The Gateway
resource defines the rules for receiving incoming traffic and selecting routes (HTTPRoute
resources) for the traffic. The Application Load Balancer Gateway API uses these rules to create a load balancer with the required listeners and HTTP routers.
Gateway
is designed for cluster operators. Application developers should use HTTPRoute
.
Gateway
is a Kubernetes resource specified by the Kubernetes Gateway API project
Gateway
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: <string>
namespace: <string>
annotations:
gateway.alb.yc.io/security-groups: <string>
spec: <GatewaySpec>
Where:
-
apiVersion
:gateway.networking.k8s.io/v1alpha2
-
kind
:Gateway
-
metadata
(ObjectMeta
, required)Resource metadata.
-
name
(string
, required)Resource name. For more information about the format, please see the Kubernetes documentation
.Does not match the balancer name in Application Load Balancer.
-
namespace
(string
)Namespace the resource belongs to. The default value is
default
. -
annotations
(map[string]string
, required)Resource annotation.
-
gateway.alb.yc.io/security-groups
(string
, required)List of Virtual Private Cloud security groups for a load balancer. Group IDs are provided in a comma-separated list, e.g.:
gateway.alb.yc.io/security-groups: b0c2kotoidcoh6haf8cu,e2lnhhdj9a0aqmr78d36,e9bud5itjnl8mkjj7td1
For the proper load balancer and Gateway API operation, security groups must be configured as specified in Configuring security groups for Application Load Balancer tools for Managed Service for Kubernetes.
-
-
-
spec
(GatewaySpec
, required)Resource specification. For more information, see below.
GatewaySpec
gatewayClassName: yc-df-class
listeners:
- name: <string>
hostname: <string>
port: <int32>
protocol: <string>
tls:
mode: <string>
certificateRefs:
- group: <string>
kind: <string>
name: <string>
namespace: <string>
- ...
allowedRoutes:
namespaces:
from: <string>
selector:
matchExpressions:
- key: <string>
operator: <string>
values:
- <string>
- ...
matchLabels:
<string>: <string>
...
- ...
addresses:
- type: IPAddress
value: <string>
- ...
Where:
-
gatewayClassName
:yc-df-class
-
listeners
([]Listener
)Load balancer listeners.
-
name
(string
)Internal name of the listener.
It is only used for Kubernetes needs and does not match the listener name in Application Load Balancer.
A name should have the domain format, i.e., correspond to the following regular expression:
[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*
For instance, such names as
example
,example.com
, orfoo.example.com
are suitable, whileexample.com/bar
and-example.
are not.The name may be up to 63 characters long.
-
hostname
(string
)Domain name that the listener is enabled for.
To refer to every possible subdomain at any level, replace the first-level domain name with an asterisk (
*
). In this case, the value must be wrapped in quotes.For instance, the
"*.example.com"
value matchesfoo.example.com
,foo-bar.example.com
,foo.bar.example.com
,foo.bar.baz.example.com
, etc., but does not matchexample.com
.You cannot replace only a part of a first-level domain name with an asterisk, as in
*foo.example.com
.The listener is only linked to the routes (HTTPRoute resources) whose domain names (the
spec.hostnames
field) overlap with the domain name specified in this field. -
port
(int32
)Port where the listener is listening for incoming traffic.
-
protocol
(string
)Protocol used by the listener to listen for incoming traffic:
HTTP
orHTTPS
. -
tls
(GatewayTlsConfig
)Configuration used by the listener to listen for incoming HTTPS traffic.
-
mode
(string
)Mode for terminating TLS connections.
The only supported and default value is
Terminate
: connections are terminated using certificates from thecertificateRefs
field, and decrypted traffic is routed to backends.Passthrough
mode (without connection termination) is not supported. -
certificateRefs
([]SecretObjectReference
)List of Kubernetes resources where TLS certificates are stored.
Only used if the
protocol
field value isHTTPS
. The list should then contain at least one certificate.The load balancer only uses the first certificate from the list while ignoring the other ones.
You can add a certificate to a cluster as a secret (
Secret
resource) using the Managed Service for Kubernetes management console or kubectl:kubectl create secret tls <secret_name> \ -n <namespace_name> \ --cert <path_to_certificate_file> \ --key <path_to_file_with_certificate_private_key>
-
group
(string
)Name of the Kubernetes API group that the resource with the certificate belongs to, such as
networking.k8s.io
.The default value is an empty line that indicates the root API group.
-
kind
(string
)Type of the Kubernetes resource that stores the certificate.
The default value is
Secret
. -
name
(string
)Name of the Kubernetes resource that stores the certificate.
-
namespace
(string
)Namespace that the name of the resource with the certificate belongs to.
-
-
-
allowedRoutes
(AllowedRoutes
)Rules for selecting routes for the listener (
HTTPRoute
resources). These routes are used for creating HTTP routers and backend groups linked to the listener.To have the
HTTPRoute
selected, its specification (thespec.parentRefs
field) must refer to theGateway
resource.-
namespaces
(RouteNamespaces
)Rule for selecting namespaces that the
HTTPRoute
resources linked to the listener belong to.-
from
(string
)Rule type:
All
: Resources from all namespaces are selected.Same
: Resources are only selected from the same namespace as that of theGateway
resource (themetadata.namespace
field).Selector
: Resources are selected from namespaces that meet the requirements from theselector
field.
-
selector
(LabelSelector
)A selector is a set of namespace requirements. Only namespaces that meet all the requirements from the
matchExpressions
andmatchLabels
fields are selected.For more information, see the Kubernetes API reference
.If the
from
field value is different fromSelector
, theselector
field is ignored.
-
-
-
-
addresses
([]GatewayAddress
)Load balancer's public IP settings.
If omitted, the load balancer is automatically assigned one public IP address.
-
type
:IPAddress
-
value
(string
)Yandex Virtual Private Cloud public IP assigned to the load balancer.
Before specifying an IP address in this field, make sure to reserve it by following this guide.
-