diff --git a/dev/404.html b/dev/404.html new file mode 100644 index 00000000..8450157c --- /dev/null +++ b/dev/404.html @@ -0,0 +1,1191 @@ + + + +
+ + + + + + + + + + + + + + +This page contains the API field specification for Gateway API.
+Packages:
+ +Resource Types:
+Field | +Description | +||||
---|---|---|---|---|---|
+apiVersion +string |
+
+
+application-networking.k8s.aws/v1alpha1
+
+ |
+||||
+kind +string + |
+AccessLogPolicy |
+||||
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||
+spec + + +AccessLogPolicySpec + + + |
+
+ + +
|
+||||
+status + + +AccessLogPolicyStatus + + + |
+
+ Status defines the current state of AccessLogPolicy. + |
+
Field | +Description | +||||
---|---|---|---|---|---|
+apiVersion +string |
+
+
+application-networking.k8s.aws/v1alpha1
+
+ |
+||||
+kind +string + |
+IAMAuthPolicy |
+||||
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||
+spec + + +IAMAuthPolicySpec + + + |
+
+ + +
|
+||||
+status + + +IAMAuthPolicyStatus + + + |
+
+ Status defines the current state of IAMAuthPolicy. + |
+
ServiceExport declares that the Service with the same name and namespace +as this export should be consumable from other clusters.
+Field | +Description | +
---|---|
+apiVersion +string |
+
+
+application-networking.k8s.aws/v1alpha1
+
+ |
+
+kind +string + |
+ServiceExport |
+
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+(Optional)
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+status + + +ServiceExportStatus + + + |
+
+(Optional)
+ status describes the current state of an exported service. +Service configuration comes from the Service that had the same +name and namespace as this ServiceExport. +Populated by the multi-cluster service implementation’s controller. + |
+
ServiceImport describes a service imported from clusters in a ClusterSet.
+Field | +Description | +||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
+apiVersion +string |
+
+
+application-networking.k8s.aws/v1alpha1
+
+ |
+||||||||||
+kind +string + |
+ServiceImport |
+||||||||||
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+(Optional)
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||||||
+spec + + +ServiceImportSpec + + + |
+
+(Optional)
+ spec defines the behavior of a ServiceImport. ++ +
|
+||||||||||
+status + + +ServiceImportStatus + + + |
+
+(Optional)
+ status contains information about the exported services that form +the multi-cluster service referenced by this ServiceImport. + |
+
Field | +Description | +||||||||
---|---|---|---|---|---|---|---|---|---|
+apiVersion +string |
+
+
+application-networking.k8s.aws/v1alpha1
+
+ |
+||||||||
+kind +string + |
+TargetGroupPolicy |
+||||||||
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||||
+spec + + +TargetGroupPolicySpec + + + |
+
+ + +
|
+||||||||
+status + + +TargetGroupPolicyStatus + + + |
++ | +
Field | +Description | +||||||
---|---|---|---|---|---|---|---|
+apiVersion +string |
+
+
+application-networking.k8s.aws/v1alpha1
+
+ |
+||||||
+kind +string + |
+VpcAssociationPolicy |
+||||||
+metadata + + +Kubernetes meta/v1.ObjectMeta + + + |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+||||||
+spec + + +VpcAssociationPolicySpec + + + |
+
+ + +
|
+||||||
+status + + +VpcAssociationPolicyStatus + + + |
++ | +
+(Appears on:AccessLogPolicy) +
+AccessLogPolicySpec defines the desired state of AccessLogPolicy.
+Field | +Description | +
---|---|
+destinationArn + +string + + |
+
+ The Amazon Resource Name (ARN) of the destination that will store access logs. +Supported values are S3 Bucket, CloudWatch Log Group, and Firehose Delivery Stream ARNs. +Changes to this value results in replacement of the VPC Lattice Access Log Subscription. + |
+
+targetRef + + +sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + + |
+
+ TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached. +This field is following the guidelines of Kubernetes Gateway API policy attachment. + |
+
+(Appears on:AccessLogPolicy) +
+AccessLogPolicyStatus defines the observed state of AccessLogPolicy.
+Field | +Description | +
---|---|
+conditions + + +[]Kubernetes meta/v1.Condition + + + |
+
+(Optional)
+ Conditions describe the current conditions of the AccessLogPolicy. +Implementations should prefer to express Policy conditions
+using the Known condition types are: +
|
+
+(Appears on:ServiceImportStatus) +
+ClusterStatus contains service configuration mapped to a specific source cluster
+Field | +Description | +
---|---|
+cluster + +string + + |
+
+ cluster is the name of the exporting cluster. Must be a valid RFC-1123 DNS +label. + |
+
+(Appears on:TargetGroupPolicySpec) +
+HealthCheckConfig defines health check configuration for given VPC Lattice target group. +For the detailed explanation and supported values, please refer to VPC Lattice documentationon health checks.
+Field | +Description | +
---|---|
+enabled + +bool + + |
+
+(Optional)
+ Indicates whether health checking is enabled. + |
+
+intervalSeconds + +int64 + + |
+
+(Optional)
+ The approximate amount of time, in seconds, between health checks of an individual target. + |
+
+timeoutSeconds + +int64 + + |
+
+(Optional)
+ The amount of time, in seconds, to wait before reporting a target as unhealthy. + |
+
+healthyThresholdCount + +int64 + + |
+
+(Optional)
+ The number of consecutive successful health checks required before considering an unhealthy target healthy. + |
+
+unhealthyThresholdCount + +int64 + + |
+
+(Optional)
+ The number of consecutive failed health checks required before considering a target unhealthy. + |
+
+statusMatch + +string + + |
+
+(Optional)
+ A regular expression to match HTTP status codes when checking for successful response from a target. + |
+
+path + +string + + |
+
+(Optional)
+ The destination for health checks on the targets. + |
+
+port + +int64 + + |
+
+ The port used when performing health checks on targets. If not specified, health check defaults to the +port that a target receives traffic on. + |
+
+protocol + + +HealthCheckProtocol + + + |
+
+(Optional)
+ The protocol used when performing health checks on targets. + |
+
+protocolVersion + + +HealthCheckProtocolVersion + + + |
+
+(Optional)
+ The protocol version used when performing health checks on targets. Defaults to HTTP/1. + |
+
string
alias)+(Appears on:HealthCheckConfig) +
+Value | +Description | +
---|---|
"HTTP" |
++ |
"HTTPS" |
++ |
string
alias)+(Appears on:HealthCheckConfig) +
+Value | +Description | +
---|---|
"HTTP1" |
++ |
"HTTP2" |
++ |
+(Appears on:IAMAuthPolicy) +
+IAMAuthPolicySpec defines the desired state of IAMAuthPolicy. +When the controller handles IAMAuthPolicy creation, if the targetRef k8s and VPC Lattice resource exists, the controller will change the auth_type of that VPC Lattice resource to AWS_IAM and attach this policy. +When the controller handles IAMAuthPolicy deletion, if the targetRef k8s and VPC Lattice resource exists, the controller will change the auth_type of that VPC Lattice resource to NONE and detach this policy.
+Field | +Description | +
---|---|
+policy + +string + + |
+
+ IAM auth policy content. It is a JSON string that uses the same syntax as AWS IAM policies. Please check the VPC Lattice documentation to get the common elements in an auth policy + |
+
+targetRef + + +sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + + |
+
+ TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached. +This field is following the guidelines of Kubernetes Gateway API policy attachment. + |
+
+(Appears on:IAMAuthPolicy) +
+IAMAuthPolicyStatus defines the observed state of IAMAuthPolicy.
+Field | +Description | +
---|---|
+conditions + + +[]Kubernetes meta/v1.Condition + + + |
+
+(Optional)
+ Conditions describe the current conditions of the IAMAuthPolicy. +Implementations should prefer to express Policy conditions
+using the Known condition types are: +
|
+
string
alias)+(Appears on:VpcAssociationPolicySpec) +
++(Appears on:ServiceExportStatus) +
+ServiceExportCondition contains details for the current condition of this +service export.
+Once KEP-1623 is +implemented, this will be replaced by metav1.Condition.
+Field | +Description | +
---|---|
+type + + +ServiceExportConditionType + + + |
++ | +
+status + + +Kubernetes core/v1.ConditionStatus + + + |
+
+ Status is one of {“True”, “False”, “Unknown”} + |
+
+lastTransitionTime + + +Kubernetes meta/v1.Time + + + |
++(Optional) + | +
+reason + +string + + |
++(Optional) + | +
+message + +string + + |
++(Optional) + | +
string
alias)+(Appears on:ServiceExportCondition) +
+ServiceExportConditionType identifies a specific condition.
+Value | +Description | +
---|---|
"Conflict" |
+ServiceExportConflict means that there is a conflict between two +exports for the same Service. When “True”, the condition message +should contain enough information to diagnose the conflict: +field(s) under contention, which cluster won, and why. +Users should not expect detailed per-cluster information in the +conflict message. + |
+
"Valid" |
+ServiceExportValid means that the service referenced by this +service export has been recognized as valid by a controller. +This will be false if the service is found to be unexportable +(ExternalName, not found). + |
+
+(Appears on:ServiceExport) +
+ServiceExportStatus contains the current status of an export.
+Field | +Description | +
---|---|
+conditions + + +[]ServiceExportCondition + + + |
++(Optional) + | +
+(Appears on:ServiceImport) +
+ServiceImportSpec describes an imported service and the information necessary to consume it.
+Field | +Description | +
---|---|
+ports + + +[]ServicePort + + + |
++ | +
+ips + +[]string + + |
+
+(Optional)
+ ip will be used as the VIP for this service when type is ClusterSetIP. + |
+
+type + + +ServiceImportType + + + |
+
+ type defines the type of this service. +Must be ClusterSetIP or Headless. + |
+
+sessionAffinity + + +Kubernetes core/v1.ServiceAffinity + + + |
+
+(Optional)
+ Supports “ClientIP” and “None”. Used to maintain session affinity. +Enable client IP based session affinity. +Must be ClientIP or None. +Defaults to None. +Ignored when type is Headless +More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + |
+
+sessionAffinityConfig + + +Kubernetes core/v1.SessionAffinityConfig + + + |
+
+(Optional)
+ sessionAffinityConfig contains session affinity configuration. + |
+
+(Appears on:ServiceImport) +
+ServiceImportStatus describes derived state of an imported service.
+Field | +Description | +
---|---|
+clusters + + +[]ClusterStatus + + + |
+
+(Optional)
+ clusters is the list of exporting clusters from which this service +was derived. + |
+
string
alias)+(Appears on:ServiceImportSpec) +
+ServiceImportType designates the type of a ServiceImport
+Value | +Description | +
---|---|
"ClusterSetIP" |
+ClusterSetIP are only accessible via the ClusterSet IP. + |
+
"Headless" |
+Headless services allow backend pods to be addressed directly. + |
+
+(Appears on:ServiceImportSpec) +
+ServicePort represents the port on which the service is exposed
+Field | +Description | +
---|---|
+name + +string + + |
+
+(Optional)
+ The name of this port within the service. This must be a DNS_LABEL. +All ports within a ServiceSpec must have unique names. When considering +the endpoints for a Service, this must match the ‘name’ field in the +EndpointPort. +Optional if only one ServicePort is defined on this service. + |
+
+protocol + + +Kubernetes core/v1.Protocol + + + |
+
+(Optional)
+ The IP protocol for this port. Supports “TCP”, “UDP”, and “SCTP”. +Default is TCP. + |
+
+appProtocol + +string + + |
+
+(Optional)
+ The application protocol for this port. +This field follows standard Kubernetes label syntax. +Un-prefixed names are reserved for IANA standard service names (as per +RFC-6335 and http://www.iana.org/assignments/service-names). +Non-standard protocols should use prefixed names such as +mycompany.com/my-custom-protocol. +Field can be enabled with ServiceAppProtocol feature gate. + |
+
+port + +int32 + + |
+
+ The port that will be exposed by this service. + |
+
+(Appears on:TargetGroupPolicy) +
+TargetGroupPolicySpec defines the desired state of TargetGroupPolicy.
+Field | +Description | +
---|---|
+protocol + +string + + |
+
+(Optional)
+ The protocol to use for routing traffic to the targets. Supported values are HTTP (default) and HTTPS. +Changes to this value results in a replacement of VPC Lattice target group. + |
+
+protocolVersion + +string + + |
+
+(Optional)
+ The protocol version to use. Supported values are HTTP1 (default) and HTTP2. When a policy is behind GRPCRoute, +this field value will be ignored as GRPC is only supported through HTTP/2. +Changes to this value results in a replacement of VPC Lattice target group. + |
+
+targetRef + + +sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + + |
+
+ TargetRef points to the kubernetes Service resource that will have this policy attached. +This field is following the guidelines of Kubernetes Gateway API policy attachment. + |
+
+healthCheck + + +HealthCheckConfig + + + |
+
+(Optional)
+ The health check configuration. +Changes to this value will update VPC Lattice resource in place. + |
+
+(Appears on:TargetGroupPolicy) +
+TargetGroupPolicyStatus defines the observed state of TargetGroupPolicy.
+Field | +Description | +
---|---|
+conditions + + +[]Kubernetes meta/v1.Condition + + + |
+
+(Optional)
+ Conditions describe the current conditions of the AccessLogPolicy. +Implementations should prefer to express Policy conditions
+using the Known condition types are: +
|
+
+(Appears on:VpcAssociationPolicy) +
+VpcAssociationPolicySpec defines the desired state of VpcAssociationPolicy.
+Field | +Description | +
---|---|
+securityGroupIds + + +[]SecurityGroupId + + + |
+
+(Optional)
+ SecurityGroupIds defines the security groups enforced on the VpcServiceNetworkAssociation. +Security groups does not take effect if AssociateWithVpc is set to false. +For more details, please check the VPC Lattice documentation https://docs.aws.amazon.com/vpc-lattice/latest/ug/security-groups.html + |
+
+associateWithVpc + +bool + + |
+
+(Optional)
+ AssociateWithVpc indicates whether the VpcServiceNetworkAssociation should be created for the current VPC of k8s cluster. +This value will be considered true by default. + |
+
+targetRef + + +sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + + |
+
+ TargetRef points to the kubernetes Gateway resource that will have this policy attached. +This field is following the guidelines of Kubernetes Gateway API policy attachment. + |
+
+(Appears on:VpcAssociationPolicy) +
+VpcAssociationPolicyStatus defines the observed state of VpcAssociationPolicy.
+Field | +Description | +
---|---|
+conditions + + +[]Kubernetes meta/v1.Condition + + + |
+
+(Optional)
+ Conditions describe the current conditions of the VpcAssociationPolicy. +Implementations should prefer to express Policy conditions
+using the Known condition types are: +
|
+
+Generated with gen-crd-api-reference-docs
+on git commit 5de8f32
.
+
The AccessLogPolicy custom resource allows you to define access logging configurations on +Gateways, HTTPRoutes, and GRPCRoutes by specifying a destination for the access logs to be published to.
+This configuration results in access logs being published to the S3 Bucket, my-bucket
, when traffic
+is sent to any HTTPRoute or GRPCRoute that is a child of Gateway my-hotel
.
apiVersion: application-networking.k8s.aws/v1alpha1
+kind: AccessLogPolicy
+metadata:
+ name: my-access-log-policy
+spec:
+ destinationArn: "arn:aws:s3:::my-bucket"
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: Gateway
+ name: my-hotel
+
This configuration results in access logs being published to the CloudWatch Log Group, myloggroup
, when traffic
+is sent to HTTPRoute inventory
.
apiVersion: application-networking.k8s.aws/v1alpha1
+kind: AccessLogPolicy
+metadata:
+ name: my-access-log-policy
+spec:
+ destinationArn: "arn:aws:logs:us-west-2:123456789012:log-group:myloggroup:*"
+ targetRef:
+ group: gateway.networking.k8s.io
+ kind: HTTPRoute
+ name: inventory
+
Per the VPC Lattice documentation, + IAM permissions are required to enable access logs:
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Sid": "ManageVPCLatticeAccessLogSetup",
+ "Action": [
+ "logs:CreateLogDelivery",
+ "logs:GetLogDelivery",
+ "logs:UpdateLogDelivery",
+ "logs:DeleteLogDelivery",
+ "logs:ListLogDeliveries",
+ "vpc-lattice:CreateAccessLogSubscription",
+ "vpc-lattice:GetAccessLogSubscription",
+ "vpc-lattice:UpdateAccessLogSubscription",
+ "vpc-lattice:DeleteAccessLogSubscription",
+ "vpc-lattice:ListAccessLogSubscriptions"
+ ],
+ "Resource": [
+ "*"
+ ]
+ }
+ ]
+}
+
AccessLogPolicies fit under the definition of Gateway API Policy Objects. +As a result, status conditions are applied on every modification of an AccessLogPolicy, and can be viewed by describing it.
+The spec of the AccessLogPolicy is valid and has been accepted for reconciliation by the controller.
+The target already has an AccessLogPolicy for the same destination type +(i.e. a target can have 1 AccessLogPolicy for an S3 Bucket, 1 for a CloudWatch Log Group, +and 1 for a Firehose Delivery Stream at a time).
+Any of the following:
+- The target's Group
is not gateway.networking.k8s.io
+- The target's Kind
is not Gateway
, HTTPRoute
, or GRPCRoute
+- The target's namespace does not match the AccessLogPolicy's namespace
The target does not exist.
+Upon successful creation or modification of an AccessLogPolicy, the controller may add or update an annotation in the
+AccessLogPolicy. The annotation applied by the controller has the key
+application-networking.k8s.aws/accessLogSubscription
, and its value is the corresponding VPC Lattice Access Log
+Subscription's ARN.
When an AccessLogPolicy's destinationArn
is changed such that the resource type changes (e.g. from S3 Bucket to CloudWatch Log Group),
+or the AccessLogPolicy's targetRef
is changed, the annotation's value will be updated because a new Access Log Subscription will be created to replace the previous one.
When creation of an AccessLogPolicy fails, no annotation is added to the AccessLogPolicy because no corresponding Access Log Subscription exists.
+When modification or deletion of an AccessLogPolicy fails, the previous value of the annotation is left unchanged because the +corresponding Access Log Subscription is also left unchanged.
+ + + + + + + + + + + + + +Gateway
allows you to configure network traffic through AWS Gateway API Controller.
+When a Gateway is defined with amazon-vpc-lattice
GatewayClass, the controller will watch for the gateway
+and the resources under them, creating required resources under Amazon VPC Lattice.
Internally, a Gateway points to a VPC Lattice service network.
+Service networks are identified by Gateway name (without namespace) - for example, a Gateway named my-gateway
+will point to a VPC Lattice service network my-gateway
. If multiple Gateways share the same name, all of them
+will point to the same service network.
VPC Lattice service networks must be managed separately, as it is a broader concept that can cover resources +outside the Kubernetes cluster. To create and manage a service network, you can either:
+DEFAULT_SERVICE_NETWORK
configuration option on the controller. This will make the controller
+ to create a service network with such name, and associate the cluster VPC to it for you. This is suitable
+ for simple use cases with single service network.Gateways with amazon-vpc-lattice
GatewayClass do not create a single entrypoint to bind Listeners and Routes
+under them. Instead, each Route will have its own domain name assigned. To see an example of how domain names
+are assigned, please refer to our Getting Started Guide.
amazon-vpc-lattice
Terminate
is supported for TLS mode. TLSRoute is currently not supported.certificateRefs
field by Secret
resource.
+ Instead, you can create an ACM certificate and put its ARN to the options
field.Here is a sample configuration that demonstrates how to set up a Gateway
:
apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+ name: my-hotel
+spec:
+ gatewayClassName: amazon-vpc-lattice
+ listeners:
+ - name: http
+ protocol: HTTP
+ port: 80
+ - name: https
+ protocol: HTTPS
+ port: 443
+ tls:
+ mode: Terminate
+ certificateRefs:
+ - name: unused
+ options:
+ application-networking.k8s.aws/certificate-arn: <certificate-arn>
+
The created Gateway will point to a VPC Lattice service network named my-hotel
. Routes under this Gateway can have
+either http
or https
listener as a parent based on their desired protocol to use.
This Gateway
documentation provides a detailed introduction, feature set, and a basic example of how to configure
+and use the resource within AWS Gateway API Controller project. For in-depth details and specifications, you can refer to the
+official Gateway API documentation.
With integration of the Gateway API, AWS Gateway API Controller supports GRPCRoute
.
+This allows you to define and manage the routing of gRPC traffic within your Kubernetes cluster.
Features:
+GRPCRoute
allows for matching by:Limitations:
+GRPCRoute
sectionName must refer to an HTTPS listener in the parent Gateway
.GRPCRoute
does not support integration with ServiceExport
.application-networking.k8s.aws/lattice-assigned-domain-name
GRPCRoute
is programmed and ready.Here is a sample configuration that demonstrates how to set up a GRPCRoute
for a HelloWorld gRPC service:
apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: GRPCRoute
+metadata:
+ name: greeter-grpc-route
+spec:
+ parentRefs:
+ - name: my-hotel
+ sectionName: https
+ rules:
+ - matches:
+ - headers:
+ - name: testKey1
+ value: testValue1
+ backendRefs:
+ - name: greeter-grpc-server
+ kind: Service
+ port: 50051
+ weight: 10
+ - matches:
+ - method:
+ service: helloworld.Greeter
+ method: SayHello
+ backendRefs:
+ - name: greeter-grpc-server
+ kind: Service
+ port: 443
+
In this example:
+GRPCRoute
is named greeter-grpc-route
and is associated with a parent gateway named my-hotel
that has
+ a section named https
.greeter-grpc-server
on port 50051
.
+ The rule also specifies a header match condition, where traffic must have a header with the name testKey1
and
+ value testValue1
for the routing rule to apply.helloworld.Greeter
and method SayHello
, forwarding it to
+ the greeter-grpc-server
on port 443
.This GRPCRoute
documentation provides a detailed introduction, feature set, and a basic example of how to configure
+and use the resource within AWS Gateway API Controller project. For in-depth details and specifications, you can refer to the
+official Gateway API documentation.
With integration of the Gateway API, AWS Gateway API Controller supports HTTPRoute
.
+This allows you to define and manage the routing of HTTP and HTTPS traffic within your Kubernetes cluster.
Features:
+HTTPRoute
allows for matching by:Limitations:
+HTTPRoute
sectionName must refer to an HTTP or HTTPS listener in the parent Gateway
.application-networking.k8s.aws/lattice-assigned-domain-name
HTTPRoute
is programmed and ready.Here is a sample configuration that demonstrates how to set up an HTTPRoute
that forwards HTTP traffic to a
+Service and ServiceImport, using rules to determine which backendRef to route traffic to.
apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: inventory
+spec:
+ parentRefs:
+ - name: my-hotel
+ sectionName: http
+ rules:
+ - backendRefs:
+ - name: inventory-ver1
+ kind: Service
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /ver1
+ - backendRefs:
+ - name: inventory-ver2
+ kind: ServiceImport
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /ver2
+
In this example:
+HTTPRoute
is named inventory
and is associated with a parent gateway named my-hotel
that has
+ a section named http
.inventory-ver1
on port 80
.
+ The rule also specifies a path match condition, where traffic must have a path starting with /ver1
for the routing
+ rule to apply.inventory-ver2
on port 80
.
+ The rule also specifies a path match condition, where traffic must have a path starting with /ver2
for the routing
+ rule to apply.Here is a sample configuration that demonstrates how to set up a HTTPRoute
that forwards HTTP and HTTPS traffic to a
+Service and ServiceImport, using weighted rules to route more traffic to one backendRef than the other. Weighted rules
+simplify the process of creating blue/green deployments by shifting rule weight from one backendRef to another.
apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+ name: inventory
+spec:
+ parentRefs:
+ - name: my-hotel
+ sectionName: http
+ - name: my-hotel
+ sectionName: https
+ rules:
+ - backendRefs:
+ - name: inventory-ver1
+ kind: Service
+ port: 80
+ weight: 10
+ - name: inventory-ver2
+ kind: ServiceImport
+ port: 80
+ weight: 90
+
In this example:
+HTTPRoute
is named inventory
and is associated with a parent gateway named my-hotel
that has
+ two sections, named http
and https
.inventory-ver1
on port 80
.
+ The rule also specifies a weight of 10
.inventory-ver2
on port 80
.
+ The rule also specifies a weight of 90
.(rule weight / total weight) * 100%
. Thus, 10% of the traffic is
+ forwarded to inventory-ver1
at port 80
and 90% of the traffic is forwarded to inventory-ver2
at the default port.This HTTPRoute
documentation provides a detailed introduction, feature set, and a basic example of how to configure
+and use the resource within AWS Gateway API Controller project. For in-depth details and specifications, you can refer to the
+official Gateway API documentation.
VPC Lattice Auth Policies are IAM policy documents that are attached to VPC Lattice Service Networks or Services to control +authorization of principal's access the attached Service Network's Services, or the specific attached Service.
+IAMAuthPolicy implements Direct Policy Attachment of Gateway APIs GEP-713: Metaresources and Policy Attachment. +An IAMAuthPolicy can be attached to a Gateway, HTTPRoute, or GRPCRoute.
+Please visit the VPC Lattice Auth Policy documentation page +for more details about Auth Policies.
+Note: IAMAuthPolicy can only do authorization for traffic that travels through Gateways, HTTPRoutes, and GRPCRoutes. +The authorization will not take effect if the client directly sends traffic to the k8s service DNS.
+This article +is also a good reference on how to set up VPC Lattice Auth Policies in Kubernetes.
+This configuration attaches a policy to the Gateway, default/my-hotel
. The policy only allows traffic
+with the header, header1=value1
, through the Gateway. This means, for every child HTTPRoute and GRPCRoute of the
+Gateway, only traffic with the specified header will be authorized to access it.
apiVersion: application-networking.k8s.aws/v1alpha1
+kind: IAMAuthPolicy
+metadata:
+ name: test-iam-auth-policy
+spec:
+ targetRef:
+ group: "gateway.networking.k8s.io"
+ kind: Gateway
+ name: my-hotel
+ policy: |
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": "*",
+ "Action": "vpc-lattice-svcs:Invoke",
+ "Resource": "*",
+ "Condition": {
+ "StringEquals": {
+ "vpc-lattice-svcs:RequestHeader/header1": "value1"
+ }
+ }
+ }
+ ]
+ }
+
This configuration attaches a policy to the HTTPRoute, examplens/my-route
. The policy only allows
+traffic from the principal, 123456789012
, to the HTTPRoute. Note that the traffic from the specified principal must
+be SIGv4-signed to be authorized.
apiVersion: application-networking.k8s.aws/v1alpha1
+kind: IAMAuthPolicy
+metadata:
+ name: test-iam-auth-policy
+spec:
+ targetRef:
+ group: "gateway.networking.k8s.io"
+ kind: HTTPRoute
+ namespace: examplens
+ name: my-route
+ policy: |
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": "123456789012",
+ "Action": "vpc-lattice-svcs:Invoke",
+ "Resource": "*"
+ }
+ ]
+ }
+
In AWS Gateway API Controller, ServiceExport
enables a Service for multi-cluster traffic setup.
+Clusters can import the exported service with ServiceImport
resource.
Internally, creating a ServiceExport creates a standalone VPC Lattice target group. +Even without ServiceImports, creating ServiceExports can be useful in case you only need the target groups created; +for example, using target groups in the VPC Lattice setup outside Kubernetes.
+Note that ServiceExport is not the implementation of Kubernetes Multicluster Service APIs; +instead AWS Gateway API Controller uses its own version of the resource for the purpose of Gateway API integration.
+application-networking.k8s.aws/port
The following yaml will create a ServiceExport for a Service named service-1
:
+
ServiceImport
is a resource referring to a Service outside the cluster, paired with ServiceExport
+resource defined in the other clusters.
Just like Services, ServiceImports can be a backend reference of HTTPRoutes. Along with the cluster's own Services +(and ServiceImports from even more clusters), you can distribute the traffic across multiple VPCs and clusters.
+Note that ServiceImport is not the implementation of Kubernetes Multicluster Service APIs; +instead AWS Gateway API Controller uses its own version of the resource for the purpose of Gateway API integration.
+application-networking.k8s.aws/aws-eks-cluster-name
application-networking.k8s.aws/aws-vpc
The following yaml imports service-1
exported from the designated cluster.
+
apiVersion: application-networking.k8s.aws/v1alpha1
+kind: ServiceImport
+metadata:
+ name: service-1
+ annotations:
+ application-networking.k8s.aws/aws-eks-cluster-name: "service-1-owner-cluster"
+ application-networking.k8s.aws/aws-vpc: "service-1-owner-vpc-id"
+spec: {}
+
The following example HTTPRoute directs traffic to the above ServiceImport. +
+ + + + + + + + + + + + + +Kubernetes Services define a logical set of Pods and a policy by which to access them, often referred to as a
+microservice. The set of Pods targeted by a Service is determined by a selector
.
Features:
+Limitations:
+selector
and type
fields cannot be updated.ExternalName
type is not supported by this controller.Here's a basic example of a Service that routes traffic to Pods with the label app=MyApp
:
apiVersion: v1
+kind: Service
+metadata:
+ name: my-service
+spec:
+ selector:
+ app: MyApp
+ ports:
+ - protocol: TCP
+ port: 80
+ targetPort: 8080
+
In this example:
+my-service
.app=MyApp
.This Service
documentation provides an overview of its key features, limitations, and basic examples of configuration
+within Kubernetes. For detailed specifications and advanced configurations, refer to the official
+Kubernetes Service documentation.
By default, AWS Gateway API Controller assumes plaintext HTTP/1 traffic for backend Kubernetes resources. +TargetGroupPolicy is a CRD that can be attached to Service or ServiceExport, which allows the users to define protocol, protocol version and +health check configurations of those backend resources.
+When attaching a policy to a resource, the following restrictions apply:
+Service
that being backendRef
of HTTPRoute
, GRPCRoute
and TLSRoute
.ServiceExport
.The policy will not take effect if: +- The resource does not exist +- The resource is not referenced by any route +- The resource is referenced by a route of unsupported type +- The ProtocolVersion is non-empty if the TargetGroupPolicy protocol is TCP
+Please check the TargetGroupPolicy API Reference for more details. TargetGroupPolicy API Reference
+These restrictions are not forced; for example, users may create a policy that targets a service that is not created yet. +However, the policy will not take effect unless the target is valid.
+This will enable HTTPS traffic between the gateway and Kubernetes service, with customized health check configuration.
+apiVersion: application-networking.k8s.aws/v1alpha1
+kind: TargetGroupPolicy
+metadata:
+ name: test-policy
+spec:
+ targetRef:
+ group: ""
+ kind: Service
+ name: my-parking-service
+ protocol: HTTPS
+ protocolVersion: HTTP1
+ healthCheck:
+ enabled: true
+ intervalSeconds: 5
+ timeoutSeconds: 1
+ healthyThresholdCount: 3
+ unhealthyThresholdCount: 2
+ path: "/healthcheck"
+ port: 80
+ protocol: HTTP
+ protocolVersion: HTTP1
+ statusMatch: "200"
+
With integration of the Gateway API, AWS Gateway API Controller supports TLSRoute
.
+This allows you to define and manage end-to-end TLS encrypted traffic routing to your Kubernetes clusters.
TLSRoute
sectionName must refer to a TLS
protocol listener with mode: Passthrough
in the parentRefs Gateway
.TLSRoute
only supports to have one rule.TLSRoute
does not support any rule matching condition.hostnames
field with exactly one host name is required.Here is a sample configuration that demonstrates how to set up a TLSRoute
resource to route end-to-end TLS encrypted traffic to a nginx service:
apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+ name: nginx-tls-route
+spec:
+ hostnames:
+ - nginx-test.my-test.com
+ parentRefs:
+ - name: my-hotel-tls-passthrough
+ sectionName: tls
+ rules:
+ - backendRefs:
+ - name: nginx-tls
+ kind: Service
+ port: 443
+
In this example:
+TLSRoute
is named nginx-tls-route
and is associated with a parent gateway named my-hotel-tls-passthrough
that has
+ a listener section named tls
:
+TLSRoute
is configured to route traffic to a k8s service named nginx-tls
on port 443.hostnames
field is set to nginx-test.my-test.com
. The customer must use this hostname to send traffic to the nginx service.For the detailed tls passthrough traffic connectivity setup, please refer the user guide here.
+For the detailed Gateway API TLSRoute
resource specifications, you can refer to the
+Kubernetes official documentation.
For the VPC Lattice tls passthrough Listener configuration details, you can refer to the VPC Lattice documentation.
+ + + + + + + + + + + + + +VpcAssociationPolicy is a Custom Resource Definition (CRD) that can be attached to a Gateway to define the configuration +of the ServiceNetworkVpcAssociation between the Gateway's associated VPC Lattice Service Network and the cluster VPC.
+Source | +Protocol | +Port Range | +Comment | +
---|---|---|---|
Kubernetes cluster VPC CIDR or security group reference | +Protocols defined in the gateway's listener section | +Ports defined in the gateway's listener section | +Allow inbound traffic from current cluster vpc to gateway | +
When attaching a VpcAssociationPolicy to a resource, the following restrictions apply:
+The security group will not take effect if:
+targetRef
gateway does not exist.associateWithVpc
field is set to false.The VPC Lattice UpdateServiceNetworkVpcAssociation
API cannot be used to remove all security groups.
+If you have a VpcAssociationPolicy attached to a gateway that already has security groups applied, updating the VpcAssociationPolicy with empty security group ids or deleting the VpcAssociationPolicy will NOT remove the security groups from the gateway.
To remove security groups, instead, you should delete VPC Association and re-create a new VPC Association without security group ids by following steps:
+1. Update the VpcAssociationPolicy by setting associateWithVpc
to false and empty security group ids.
+2. Update the VpcAssociationPolicy by setting associateWithVpc
to true and empty security group ids.
+Note: Setting
associateWithVpc` to false will disable traffic from the current cluster workloads to the gateway.
This configuration attaches a policy to the Gateway, default/my-hotel
. The ServiceNetworkVpcAssociation between the
+Gateway's corresponding VPC Lattice Service Network and the cluster VPC is updated based on the policy contents.
If the expected ServiceNetworkVpcAssociation does not exist, it is created since associateWithVpc
is set to true
.
+This allows traffic from clients in the cluster VPC to VPC Lattice Services in the associated Service Network.
+Additionally, two security groups (sg-1234567890
and sg-0987654321
) are attached to the ServiceNetworkVpcAssociation.