Skip to search

AgentgatewayBackend

agentgateway.dev / v1alpha1

apiVersion: agentgateway.dev/v1alpha1 kind: AgentgatewayBackend metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
Desired backend configuration.
a2a object
A2A backend.
host string required
Hostname or IP address of the A2A backend.
minLength: 1
maxLength: 256
port integer required
Port number of the A2A backend.
format: int32
minimum: 1
maximum: 65535
ai object
LLM backend.
groups []object
Groups in priority order, where each group defines a set of LLM providers. The priority determines the priority of the backend endpoints chosen. Note: provider names must be unique across all providers in all priority groups. Backend policies may target a specific provider by name using `targetRefs[].sectionName`. Example configuration with two priority groups: groups: - providers: - azureopenai: deploymentName: gpt-4o-mini apiVersion: 2024-02-15-preview endpoint: ai-gateway.openai.azure.com - providers: - azureopenai: deploymentName: gpt-4o-mini-2 apiVersion: 2024-02-15-preview endpoint: ai-gateway-2.openai.azure.com policies: auth: secretRef: name: azure-secret
minItems: 1
maxItems: 8
providers []object required
LLM providers within this group. Each provider is treated equally in terms of priority, with automatic weighting based on health.
minItems: 1
maxItems: 16
anthropic object
Anthropic provider settings.
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
azure object
Azure provider with resource-based configuration. Supports both Azure OpenAI and Azure AI Foundry resource types.
apiVersion string
The version of the Azure OpenAI API to use. If unset, defaults to `v1`.
minLength: 1
maxLength: 64
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
projectName string
The Foundry project name, required when `resourceType` is `Foundry`. Used to construct paths: /api/projects/{projectName}/openai/v1/...
minLength: 1
maxLength: 256
resourceName string required
The Azure resource name used to construct the endpoint host. For OpenAI: {resourceName}.openai.azure.com For Foundry: {resourceName}.services.ai.azure.com Note: when the Azure portal "Foundry legacy" template was used, the generated resource name may end in "-resource" (e.g. "myproject-resource"); that suffix is part of the resource name as the user configured it, not part of the hostname suffix agentgateway should append.
minLength: 1
maxLength: 256
resourceType string required
The type of Azure endpoint. Determines the host suffix.
enum: Foundry, OpenAI
azureopenai object
Azure OpenAI provider settings.
apiVersion string
The version of the Azure OpenAI API to use. For more information, see the [Azure OpenAI API version reference](https://learn.microsoft.com/en-us/azure/foundry/openai/reference). If unset, defaults to `v1`.
minLength: 1
maxLength: 64
deploymentName string
The name of the Azure OpenAI model deployment to use. For more information, see the [Azure OpenAI model docs](https://learn.microsoft.com/en-us/azure/foundry/foundry-models/concepts/models-sold-directly-by-azure?view=foundry-classic). This is required if `apiVersion` is not `v1`. For `v1`, the model can be set in the request.
minLength: 1
maxLength: 256
endpoint string required
The endpoint for the Azure OpenAI API to use, such as `my-endpoint.openai.azure.com`. If the scheme is included, it is stripped.
minLength: 1
maxLength: 256
bedrock object
Bedrock provider settings.
guardrail object
Guardrail policy to use for the backend. See <https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html>. If not specified, the AWS Guardrail policy will not be used.
identifier string required
Identifier of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
version string required
Version of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
region string
AWS region to use for the backend. Defaults to `us-east-1` if not specified.
pattern: ^[a-z0-9-]+$
minLength: 1
maxLength: 63
custom object
Custom provider configures a non-managed or self-hosted LLM provider. Use this when the provider target and API formats should be declared explicitly instead of inferred from a managed provider such as OpenAI or Anthropic.
backendRef object
Kubernetes backend that serves this provider. `backendRef` may target only a namespace-local Service or InferencePool. If unset, host and port must be set on the parent provider.
group string
API group of the referenced resource. For example, `gateway.networking.k8s.io`. When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind of the referenced resource. For example, `Service`. Defaults to "Service" when not specified.
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name of the referenced resource.
minLength: 1
maxLength: 253
port integer
Destination port number to use for this resource. Required when the referenced resource is a Kubernetes Service.
format: int32
minimum: 1
maximum: 65535
formats []object required
Provider-native API formats this provider supports.
minItems: 1
maxItems: 6
path string
Default upstream path override for this format. If unset, agentgateway uses the default path for the format.
minLength: 1
maxLength: 1024
type string required
Provider-native API format.
enum: AnthropicTokenCount, Completions, Embeddings, Messages, Realtime, Rerank, Responses
model string
Model name override, such as `gpt-oss`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
gemini object
Gemini provider settings.
model string
Model name override, such as `gemini-2.5-pro`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
host string
Hostname to send requests to. For custom providers without backendRef, host and port specify the target. For managed providers, host and port override the provider default.
minLength: 1
maxLength: 256
name string required
Name of the provider. Policies can target this provider by name.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
openai object
OpenAI provider settings.
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
path string
URL path to use for LLM provider API requests. This is useful when you need to route requests to a different API endpoint while maintaining compatibility with the original provider's API structure. If not specified, the default path for the provider is used.
minLength: 1
maxLength: 1024
pathPrefix string
Overrides the default base path prefix, such as `/v1`, for upstream requests. Path translation for cross-format requests still applies using this prefix. Only supported for OpenAI and Anthropic providers.
minLength: 1
maxLength: 1024
policies object
Policies for communicating with this backend. Policies may also be set in `AgentgatewayPolicy`, or in the top-level `AgentgatewayBackend`. Policies are merged on a field-level basis, with order: `AgentgatewayPolicy` < `AgentgatewayBackend` < `AgentgatewayBackend` LLM provider (this field).
ai object
Settings for AI workloads. This is only applicable when connecting to a `Backend` of type `ai`.
defaults []object
Defaults to merge with user input fields. If the field is already set, the field in the request is used.
minItems: 1
maxItems: 64
field string required
Name of the field.
maxLength: 256
value object required
Default value for the field. This can be any JSON data type.
modelAliases object
Maps friendly model names to actual provider model names. Example: `{"fast": "gpt-3.5-turbo", "smart": "gpt-4-turbo"}`. Note: This field is only applicable when using the agentgateway data plane.
overrides []object
Overrides to merge with user input fields. If the field is already set, the field is overwritten.
minItems: 1
maxItems: 64
field string required
Name of the field.
maxLength: 256
value object required
Default value for the field. This can be any JSON data type.
prompt object
Enriches requests sent to the LLM provider by appending and prepending system prompts. This can be configured only for LLM providers that use the `CHAT` or `CHAT_STREAMING` API route type.
append []object
Messages to append to the prompt sent by the client.
content string required
String content of the message.
role string required
Role of the message. The available roles depend on the backend LLM provider model, such as `SYSTEM` or `USER` in the OpenAI API.
prepend []object
Messages to prepend to the prompt sent by the client.
content string required
String content of the message.
role string required
Role of the message. The available roles depend on the backend LLM provider model, such as `SYSTEM` or `USER` in the OpenAI API.
promptCaching object
Automatic prompt caching for supported providers, currently AWS Bedrock. Reduces API costs by caching static content like system prompts and tool definitions. Only applicable for Bedrock Claude 3+ and Nova models.
cacheMessageOffset integer
Shifts the message cache point further back in the conversation. 0 (default) places it at the second-to-last message. Higher values move it N additional messages towards the start, clamped to bounds.
minimum: 0
cacheMessages boolean
Enables caching for conversation messages. Caches all messages in the conversation for cost savings.
cacheSystem boolean
Enables caching for system prompts. Inserts a cache point after all system messages.
cacheTools boolean
Enables caching for tool definitions. Inserts a cache point after all tool specifications.
minTokens integer
Minimum estimated token count before caching is enabled. Uses rough heuristic (word count × 1.3) to estimate tokens. Bedrock requires at least 1,024 tokens for caching to be effective.
minimum: 0
promptGuard object
Guardrails for LLM requests and responses.
request []object
Prompt guards to apply to requests sent by the client.
minItems: 1
maxItems: 8
bedrockGuardrails object
AWS Bedrock Guardrails settings for prompt guarding.
identifier string required
Identifier of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
policies object
Policies for communicating with AWS Bedrock Guardrails.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
region string required
AWS region where the guardrail is deployed, for example `us-west-2`).
minLength: 1
maxLength: 256
version string required
Version of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
googleModelArmor object
Google Model Armor settings for prompt guarding.
location string
Google Cloud location, for example `us-central1`. Defaults to `us-central1` if not specified.
minLength: 1
maxLength: 256
policies object
Policies for communicating with Google Model Armor.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
projectId string required
Google Cloud project ID.
minLength: 1
maxLength: 256
templateId string required
Template ID for Google Model Armor.
minLength: 1
maxLength: 256
openAIModeration object
Passes prompt data through the OpenAI Moderations endpoint. See https://developers.openai.com/api/reference/resources/moderations for more information.
model string
Moderation model to use. For example, `omni-moderation`.
policies object
Policies for communicating with OpenAI.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
regex object
Regular expression (regex) matching for prompt guards and data masking.
action string
The action to take if a regex pattern is matched in a request or response. This setting applies only to request matches. `PromptguardResponse` matches are always masked by default. Defaults to `Mask`.
enum: Mask, Reject
builtins []string
Built-in regex patterns to match against the request or response. Matches and built-ins are additive.
matches []string
Regex patterns to match against the request or response. Matches and built-ins are additive.
response object
Custom response message to return to the client. If not specified, defaults to `The request was rejected due to inappropriate content`.
message string
Custom response message to return to the client. If not specified, defaults to `The request was rejected due to inappropriate content`.
statusCode integer
Status code to return to the client. Defaults to 403.
format: int32
minimum: 200
maximum: 599
webhook object
Webhook that receives requests for prompt guarding.
backendRef object required
Webhook server to reach. Supported types: Service and Backend.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
failureMode string
Behavior when the webhook guardrail is unavailable or returns an error. `FailOpen` allows the request to continue. `FailClosed` (default) rejects the request.
enum: FailClosed, FailOpen
forwardHeaderMatches []object
HTTP header matches used to select the headers to forward to the webhook. Request headers are used when forwarding requests and response headers are used when forwarding responses. By default, no headers are forwarded.
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for "Set-Cookie".
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
type string
Type specifies how to match against the value of the header. Support: Core (Exact) Support: Implementation-specific (RegularExpression) Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.
enum: Exact, RegularExpression
value string required
Value is the value of HTTP Header to be matched. <gateway:experimental:description> Must consist of printable US-ASCII characters, optionally separated by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 </gateway:experimental:description> <gateway:experimental:validation:Pattern=`^[!-~]+([\t ]?[!-~]+)*$`>
minLength: 1
maxLength: 4096
response []object
Prompt guards to apply to responses returned by the LLM provider.
minItems: 1
maxItems: 8
bedrockGuardrails object
AWS Bedrock Guardrails settings for prompt guarding.
identifier string required
Identifier of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
policies object
Policies for communicating with AWS Bedrock Guardrails.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
region string required
AWS region where the guardrail is deployed, for example `us-west-2`).
minLength: 1
maxLength: 256
version string required
Version of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
googleModelArmor object
Google Model Armor settings for prompt guarding.
location string
Google Cloud location, for example `us-central1`. Defaults to `us-central1` if not specified.
minLength: 1
maxLength: 256
policies object
Policies for communicating with Google Model Armor.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
projectId string required
Google Cloud project ID.
minLength: 1
maxLength: 256
templateId string required
Template ID for Google Model Armor.
minLength: 1
maxLength: 256
regex object
Regular expression (regex) matching for prompt guards and data masking.
action string
The action to take if a regex pattern is matched in a request or response. This setting applies only to request matches. `PromptguardResponse` matches are always masked by default. Defaults to `Mask`.
enum: Mask, Reject
builtins []string
Built-in regex patterns to match against the request or response. Matches and built-ins are additive.
matches []string
Regex patterns to match against the request or response. Matches and built-ins are additive.
response object
Custom response message to return to the client. If not specified, defaults to `The response was rejected due to inappropriate content`.
message string
Custom response message to return to the client. If not specified, defaults to `The request was rejected due to inappropriate content`.
statusCode integer
Status code to return to the client. Defaults to 403.
format: int32
minimum: 200
maximum: 599
webhook object
Webhook that receives responses for prompt guarding.
backendRef object required
Webhook server to reach. Supported types: Service and Backend.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
failureMode string
Behavior when the webhook guardrail is unavailable or returns an error. `FailOpen` allows the request to continue. `FailClosed` (default) rejects the request.
enum: FailClosed, FailOpen
forwardHeaderMatches []object
HTTP header matches used to select the headers to forward to the webhook. Request headers are used when forwarding requests and response headers are used when forwarding responses. By default, no headers are forwarded.
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for "Set-Cookie".
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
type string
Type specifies how to match against the value of the header. Support: Core (Exact) Support: Implementation-specific (RegularExpression) Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.
enum: Exact, RegularExpression
value string required
Value is the value of HTTP Header to be matched. <gateway:experimental:description> Must consist of printable US-ASCII characters, optionally separated by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 </gateway:experimental:description> <gateway:experimental:validation:Pattern=`^[!-~]+([\t ]?[!-~]+)*$`>
minLength: 1
maxLength: 4096
streaming string
Apply prompt guards to streaming responses and realtime websocket messages. Defaults to disabled to preserve streaming throughput unless explicitly enabled.
enum: Enabled
routes object
Rules for identifying the type of traffic to handle. The keys are URL path suffixes matched using ends-with comparison, for example `"/v1/chat/completions"`. The special `*` wildcard matches any path. If not specified, all traffic defaults to `completions` type.
transformations []object
CEL transformations to compute and set fields in the request body. The expression result overwrites any existing value for that field. This has a higher priority than `overrides` if both are set for the same key.
minItems: 1
maxItems: 64
expression string required
CEL expression used to compute the field value.
minLength: 1
maxLength: 16384
field string required
Name of the field to set.
maxLength: 256
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
health object
Settings for passive and active health checking.
eviction object
Settings for evicting unhealthy backends.
consecutiveFailures integer
Number of consecutive unhealthy responses required before the backend is evicted. For example, a value of 5 means the backend must receive 5 unhealthy responses in a row before being evicted. When both consecutiveFailures and healthThreshold are set, the backend is evicted when either condition is met. When neither is set, a single unhealthy response can trigger eviction.
format: int32
minimum: 0
duration string
Base time a backend should be evicted after being marked unhealthy. Subsequent evictions use multiplicative backoff (duration * times_evicted). If all endpoints are evicted, the load balancer falls back to returning evicted endpoints rather than failing entirely. If unset, defaults to `3s`.
healthThreshold integer
EWMA health score threshold, expressed as 0 to 100. When set, a backend is only evicted if its computed health drops below this value after an unhealthy response. For example, 50 means the backend is evicted when its EWMA health falls below 50% following failures. Unlike consecutiveFailures (which counts consecutive failures), this uses a sliding-window average so a single success in a stream of failures can delay eviction. When both consecutiveFailures and healthThreshold are set, the backend is evicted when either condition is met. When neither is set, a single unhealthy response triggers eviction.
format: int32
minimum: 0
maximum: 100
restoreHealth integer
Health score from 0 to 100 assigned to a backend when it returns from eviction. For gradual recovery, set below 100; for full recovery immediately, set 100. If unset, the backend resumes with the health it had when evicted.
format: int32
minimum: 0
maximum: 100
unhealthyCondition string
CEL expression that determines whether a response indicates an unhealthy backend. When the expression evaluates to true, the backend is considered unhealthy and may be evicted. For example, to evict on 5xx responses: `response.code >= 500`. When unset, any 5xx response, or a connection failure, is treated as unhealthy. This default lowers the backend's health score but does not trigger eviction on its own.
minLength: 1
maxLength: 16384
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
transformation object
Mutates and transforms requests and responses sent to and from the backend.
request object
Request transformation settings.
add []object
Headers to add to the request and what each value should be set to. If there is already a header with these values then append the value as an extra entry.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
body string
HTTP body transformation.
minLength: 1
maxLength: 16384
metadata object
Stores CEL-evaluated values under the `metadata` CEL variable for subsequent policy evaluations. `metadata` is evaluated before header or body transformations.
remove []string
Header names to remove from the request or response.
minItems: 1
maxItems: 16
set []object
Headers to set and the values to use.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
response object
Response transformation settings.
add []object
Headers to add to the request and what each value should be set to. If there is already a header with these values then append the value as an extra entry.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
body string
HTTP body transformation.
minLength: 1
maxLength: 16384
metadata object
Stores CEL-evaluated values under the `metadata` CEL variable for subsequent policy evaluations. `metadata` is evaluated before header or body transformations.
remove []string
Header names to remove from the request or response.
minItems: 1
maxItems: 16
set []object
Headers to set and the values to use.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
port integer
Port to send requests to.
format: int32
minimum: 1
maximum: 65535
vertexai object
Vertex AI provider settings.
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
projectId string required
The ID of the Google Cloud Project that you use for the Vertex AI.
minLength: 1
maxLength: 64
region string
The location of the Google Cloud Project that you use for the Vertex AI. Special values: `global` uses the global endpoint, while `us` and `eu` use restricted multi-region endpoints. Other values are treated as regional locations. Defaults to `global` if not specified.
minLength: 1
maxLength: 64
provider object
Configuration for how to reach the configured LLM provider.
anthropic object
Anthropic provider settings.
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
azure object
Azure provider with resource-based configuration. Supports both Azure OpenAI and Azure AI Foundry resource types.
apiVersion string
The version of the Azure OpenAI API to use. If unset, defaults to `v1`.
minLength: 1
maxLength: 64
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
projectName string
The Foundry project name, required when `resourceType` is `Foundry`. Used to construct paths: /api/projects/{projectName}/openai/v1/...
minLength: 1
maxLength: 256
resourceName string required
The Azure resource name used to construct the endpoint host. For OpenAI: {resourceName}.openai.azure.com For Foundry: {resourceName}.services.ai.azure.com Note: when the Azure portal "Foundry legacy" template was used, the generated resource name may end in "-resource" (e.g. "myproject-resource"); that suffix is part of the resource name as the user configured it, not part of the hostname suffix agentgateway should append.
minLength: 1
maxLength: 256
resourceType string required
The type of Azure endpoint. Determines the host suffix.
enum: Foundry, OpenAI
azureopenai object
Azure OpenAI provider settings.
apiVersion string
The version of the Azure OpenAI API to use. For more information, see the [Azure OpenAI API version reference](https://learn.microsoft.com/en-us/azure/foundry/openai/reference). If unset, defaults to `v1`.
minLength: 1
maxLength: 64
deploymentName string
The name of the Azure OpenAI model deployment to use. For more information, see the [Azure OpenAI model docs](https://learn.microsoft.com/en-us/azure/foundry/foundry-models/concepts/models-sold-directly-by-azure?view=foundry-classic). This is required if `apiVersion` is not `v1`. For `v1`, the model can be set in the request.
minLength: 1
maxLength: 256
endpoint string required
The endpoint for the Azure OpenAI API to use, such as `my-endpoint.openai.azure.com`. If the scheme is included, it is stripped.
minLength: 1
maxLength: 256
bedrock object
Bedrock provider settings.
guardrail object
Guardrail policy to use for the backend. See <https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html>. If not specified, the AWS Guardrail policy will not be used.
identifier string required
Identifier of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
version string required
Version of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
region string
AWS region to use for the backend. Defaults to `us-east-1` if not specified.
pattern: ^[a-z0-9-]+$
minLength: 1
maxLength: 63
custom object
Custom provider configures a non-managed or self-hosted LLM provider. Use this when the provider target and API formats should be declared explicitly instead of inferred from a managed provider such as OpenAI or Anthropic.
backendRef object
Kubernetes backend that serves this provider. `backendRef` may target only a namespace-local Service or InferencePool. If unset, host and port must be set on the parent provider.
group string
API group of the referenced resource. For example, `gateway.networking.k8s.io`. When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind of the referenced resource. For example, `Service`. Defaults to "Service" when not specified.
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name of the referenced resource.
minLength: 1
maxLength: 253
port integer
Destination port number to use for this resource. Required when the referenced resource is a Kubernetes Service.
format: int32
minimum: 1
maximum: 65535
formats []object required
Provider-native API formats this provider supports.
minItems: 1
maxItems: 6
path string
Default upstream path override for this format. If unset, agentgateway uses the default path for the format.
minLength: 1
maxLength: 1024
type string required
Provider-native API format.
enum: AnthropicTokenCount, Completions, Embeddings, Messages, Realtime, Rerank, Responses
model string
Model name override, such as `gpt-oss`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
gemini object
Gemini provider settings.
model string
Model name override, such as `gemini-2.5-pro`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
host string
Hostname to send requests to. For custom providers without backendRef, host and port specify the target. For managed providers, host and port override the provider default.
minLength: 1
maxLength: 256
openai object
OpenAI provider settings.
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
path string
URL path to use for LLM provider API requests. This is useful when you need to route requests to a different API endpoint while maintaining compatibility with the original provider's API structure. If not specified, the default path for the provider is used.
minLength: 1
maxLength: 1024
pathPrefix string
Overrides the default base path prefix, such as `/v1`, for upstream requests. Path translation for cross-format requests still applies using this prefix. Only supported for OpenAI and Anthropic providers.
minLength: 1
maxLength: 1024
port integer
Port to send requests to.
format: int32
minimum: 1
maximum: 65535
vertexai object
Vertex AI provider settings.
model string
Model name override, such as `gpt-4o-mini`. If unset, the model name is taken from the request.
minLength: 1
maxLength: 256
projectId string required
The ID of the Google Cloud Project that you use for the Vertex AI.
minLength: 1
maxLength: 64
region string
The location of the Google Cloud Project that you use for the Vertex AI. Special values: `global` uses the global endpoint, while `us` and `eu` use restricted multi-region endpoints. Other values are treated as regional locations. Defaults to `global` if not specified.
minLength: 1
maxLength: 64
aws object
AWS service backend, such as AgentCore.
agentCore object
Amazon Bedrock AgentCore backend settings.
agentRuntimeArn string required
ARN of the AgentCore runtime.
qualifier string
Alias or version qualifier.
dynamicForwardProxy object
Dynamically sends requests to the destination based on the incoming request HTTP host header, or TLS SNI for TLS traffic. Warning: this backend type can send requests to arbitrary destinations. Proper access controls must be put in place when using this backend type.
mcp object
MCP backend.
failureMode string
Behavior when MCP targets fail to initialize or become unavailable at runtime. `FailOpen` skips failed targets and continues serving from healthy ones. `FailClosed` (default) fails the entire session if any target fails.
enum: FailClosed, FailOpen
sessionRouting string
MCP session routing behavior. Defaults to `Stateful` if not set.
enum: Stateful, Stateless
targets []object required
MCP targets to use for this backend. Policies targeting MCP targets must use `targetRefs[].sectionName` to select the target by name.
minItems: 1
maxItems: 32
name string required
Name of the MCP target.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
selector object
Label selector used to select `Service` resources. If policies are needed on a per-service basis, `AgentgatewayPolicy` can target the desired `Service`.
namespaces object
`namespace` is the label selector for namespaces that `Service` resources should be selected from. If unset, only the namespace of the `AgentgatewayBackend` is searched.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
services object
`services` is the label selector for which `Service` resources should be selected.
matchExpressions []object
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
static object
Static MCP destination. When connecting to in-cluster `Service` resources, it is recommended to use `selector` instead.
backendRef object
Namespace-local `Service` resource by name. When set, this replaces `host` only; `port`, `path`, and `protocol` remain configured on this target.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
host string
Hostname or IP address of the MCP target.
minLength: 1
maxLength: 256
path string
URL path of the MCP target endpoint. Defaults to `"/sse"` for the `SSE` protocol or `"/mcp"` for the `StreamableHTTP` protocol if not specified.
minLength: 1
maxLength: 1024
policies object
Policies for communicating with this backend. Policies may also be set in `AgentgatewayPolicy`, or in the top-level `AgentgatewayBackend`. Policies are merged on a field-level basis, with order: `AgentgatewayPolicy` < `AgentgatewayBackend` < `AgentgatewayBackend` MCP (this field). This field may only be used with host-based static targets, not `backendRef`.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
port integer required
Port number of the MCP target.
format: int32
minimum: 1
maximum: 65535
protocol string
Protocol to use for the connection to the MCP target.
enum: SSE, StreamableHTTP
policies object
Policies for communicating with this backend. Policies may also be set with AgentgatewayPolicy. Backend policies take precedence over policy resources when they set the same field.
ai object
Settings for AI workloads. This is only applicable when connecting to a `Backend` of type `ai`.
defaults []object
Defaults to merge with user input fields. If the field is already set, the field in the request is used.
minItems: 1
maxItems: 64
field string required
Name of the field.
maxLength: 256
value object required
Default value for the field. This can be any JSON data type.
modelAliases object
Maps friendly model names to actual provider model names. Example: `{"fast": "gpt-3.5-turbo", "smart": "gpt-4-turbo"}`. Note: This field is only applicable when using the agentgateway data plane.
overrides []object
Overrides to merge with user input fields. If the field is already set, the field is overwritten.
minItems: 1
maxItems: 64
field string required
Name of the field.
maxLength: 256
value object required
Default value for the field. This can be any JSON data type.
prompt object
Enriches requests sent to the LLM provider by appending and prepending system prompts. This can be configured only for LLM providers that use the `CHAT` or `CHAT_STREAMING` API route type.
append []object
Messages to append to the prompt sent by the client.
content string required
String content of the message.
role string required
Role of the message. The available roles depend on the backend LLM provider model, such as `SYSTEM` or `USER` in the OpenAI API.
prepend []object
Messages to prepend to the prompt sent by the client.
content string required
String content of the message.
role string required
Role of the message. The available roles depend on the backend LLM provider model, such as `SYSTEM` or `USER` in the OpenAI API.
promptCaching object
Automatic prompt caching for supported providers, currently AWS Bedrock. Reduces API costs by caching static content like system prompts and tool definitions. Only applicable for Bedrock Claude 3+ and Nova models.
cacheMessageOffset integer
Shifts the message cache point further back in the conversation. 0 (default) places it at the second-to-last message. Higher values move it N additional messages towards the start, clamped to bounds.
minimum: 0
cacheMessages boolean
Enables caching for conversation messages. Caches all messages in the conversation for cost savings.
cacheSystem boolean
Enables caching for system prompts. Inserts a cache point after all system messages.
cacheTools boolean
Enables caching for tool definitions. Inserts a cache point after all tool specifications.
minTokens integer
Minimum estimated token count before caching is enabled. Uses rough heuristic (word count × 1.3) to estimate tokens. Bedrock requires at least 1,024 tokens for caching to be effective.
minimum: 0
promptGuard object
Guardrails for LLM requests and responses.
request []object
Prompt guards to apply to requests sent by the client.
minItems: 1
maxItems: 8
bedrockGuardrails object
AWS Bedrock Guardrails settings for prompt guarding.
identifier string required
Identifier of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
policies object
Policies for communicating with AWS Bedrock Guardrails.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
region string required
AWS region where the guardrail is deployed, for example `us-west-2`).
minLength: 1
maxLength: 256
version string required
Version of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
googleModelArmor object
Google Model Armor settings for prompt guarding.
location string
Google Cloud location, for example `us-central1`. Defaults to `us-central1` if not specified.
minLength: 1
maxLength: 256
policies object
Policies for communicating with Google Model Armor.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
projectId string required
Google Cloud project ID.
minLength: 1
maxLength: 256
templateId string required
Template ID for Google Model Armor.
minLength: 1
maxLength: 256
openAIModeration object
Passes prompt data through the OpenAI Moderations endpoint. See https://developers.openai.com/api/reference/resources/moderations for more information.
model string
Moderation model to use. For example, `omni-moderation`.
policies object
Policies for communicating with OpenAI.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
regex object
Regular expression (regex) matching for prompt guards and data masking.
action string
The action to take if a regex pattern is matched in a request or response. This setting applies only to request matches. `PromptguardResponse` matches are always masked by default. Defaults to `Mask`.
enum: Mask, Reject
builtins []string
Built-in regex patterns to match against the request or response. Matches and built-ins are additive.
matches []string
Regex patterns to match against the request or response. Matches and built-ins are additive.
response object
Custom response message to return to the client. If not specified, defaults to `The request was rejected due to inappropriate content`.
message string
Custom response message to return to the client. If not specified, defaults to `The request was rejected due to inappropriate content`.
statusCode integer
Status code to return to the client. Defaults to 403.
format: int32
minimum: 200
maximum: 599
webhook object
Webhook that receives requests for prompt guarding.
backendRef object required
Webhook server to reach. Supported types: Service and Backend.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
failureMode string
Behavior when the webhook guardrail is unavailable or returns an error. `FailOpen` allows the request to continue. `FailClosed` (default) rejects the request.
enum: FailClosed, FailOpen
forwardHeaderMatches []object
HTTP header matches used to select the headers to forward to the webhook. Request headers are used when forwarding requests and response headers are used when forwarding responses. By default, no headers are forwarded.
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for "Set-Cookie".
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
type string
Type specifies how to match against the value of the header. Support: Core (Exact) Support: Implementation-specific (RegularExpression) Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.
enum: Exact, RegularExpression
value string required
Value is the value of HTTP Header to be matched. <gateway:experimental:description> Must consist of printable US-ASCII characters, optionally separated by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 </gateway:experimental:description> <gateway:experimental:validation:Pattern=`^[!-~]+([\t ]?[!-~]+)*$`>
minLength: 1
maxLength: 4096
response []object
Prompt guards to apply to responses returned by the LLM provider.
minItems: 1
maxItems: 8
bedrockGuardrails object
AWS Bedrock Guardrails settings for prompt guarding.
identifier string required
Identifier of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
policies object
Policies for communicating with AWS Bedrock Guardrails.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
region string required
AWS region where the guardrail is deployed, for example `us-west-2`).
minLength: 1
maxLength: 256
version string required
Version of the Guardrail policy to use for the backend.
minLength: 1
maxLength: 256
googleModelArmor object
Google Model Armor settings for prompt guarding.
location string
Google Cloud location, for example `us-central1`. Defaults to `us-central1` if not specified.
minLength: 1
maxLength: 256
policies object
Policies for communicating with Google Model Armor.
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
projectId string required
Google Cloud project ID.
minLength: 1
maxLength: 256
templateId string required
Template ID for Google Model Armor.
minLength: 1
maxLength: 256
regex object
Regular expression (regex) matching for prompt guards and data masking.
action string
The action to take if a regex pattern is matched in a request or response. This setting applies only to request matches. `PromptguardResponse` matches are always masked by default. Defaults to `Mask`.
enum: Mask, Reject
builtins []string
Built-in regex patterns to match against the request or response. Matches and built-ins are additive.
matches []string
Regex patterns to match against the request or response. Matches and built-ins are additive.
response object
Custom response message to return to the client. If not specified, defaults to `The response was rejected due to inappropriate content`.
message string
Custom response message to return to the client. If not specified, defaults to `The request was rejected due to inappropriate content`.
statusCode integer
Status code to return to the client. Defaults to 403.
format: int32
minimum: 200
maximum: 599
webhook object
Webhook that receives responses for prompt guarding.
backendRef object required
Webhook server to reach. Supported types: Service and Backend.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
failureMode string
Behavior when the webhook guardrail is unavailable or returns an error. `FailOpen` allows the request to continue. `FailClosed` (default) rejects the request.
enum: FailClosed, FailOpen
forwardHeaderMatches []object
HTTP header matches used to select the headers to forward to the webhook. Request headers are used when forwarding requests and response headers are used when forwarding responses. By default, no headers are forwarded.
name string required
Name is the name of the HTTP Header to be matched. Name matching MUST be case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). If multiple entries specify equivalent header names, only the first entry with an equivalent name MUST be considered for a match. Subsequent entries with an equivalent header name MUST be ignored. Due to the case-insensitivity of header names, "foo" and "Foo" are considered equivalent. When a header is repeated in an HTTP request, it is implementation-specific behavior as to how this is represented. Generally, proxies should follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding processing a repeated header, with special handling for "Set-Cookie".
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
type string
Type specifies how to match against the value of the header. Support: Core (Exact) Support: Implementation-specific (RegularExpression) Since RegularExpression HeaderMatchType has implementation-specific conformance, implementations can support POSIX, PCRE or any other dialects of regular expressions. Please read the implementation's documentation to determine the supported dialect.
enum: Exact, RegularExpression
value string required
Value is the value of HTTP Header to be matched. <gateway:experimental:description> Must consist of printable US-ASCII characters, optionally separated by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 </gateway:experimental:description> <gateway:experimental:validation:Pattern=`^[!-~]+([\t ]?[!-~]+)*$`>
minLength: 1
maxLength: 4096
streaming string
Apply prompt guards to streaming responses and realtime websocket messages. Defaults to disabled to preserve streaming throughput unless explicitly enabled.
enum: Enabled
routes object
Rules for identifying the type of traffic to handle. The keys are URL path suffixes matched using ends-with comparison, for example `"/v1/chat/completions"`. The special `*` wildcard matches any path. If not specified, all traffic defaults to `completions` type.
transformations []object
CEL transformations to compute and set fields in the request body. The expression result overwrites any existing value for that field. This has a higher priority than `overrides` if both are set for the same key.
minItems: 1
maxItems: 64
expression string required
CEL expression used to compute the field value.
minLength: 1
maxLength: 16384
field string required
Name of the field to set.
maxLength: 256
auth object
Settings for managing authentication to the backend.
aws object
Explicit AWS authentication method for the backend. When omitted, default AWS SDK credential discovery is used.
assumeRole object
AWS STS AssumeRole settings to use before signing backend requests. Ambient AWS credentials are used as the source credentials for STS.
roleArn string required
AWS IAM role ARN to assume.
pattern: ^arn:aws[a-z-]*:iam::[0-9]{12}:role/.+$
minLength: 1
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the AWS credentials. When using the default Secret resolver, the `Secret` must have keys `accessKey`, `secretKey`, and optionally `sessionToken`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
serviceName string
AWS SigV4 signing service name, for example `bedrock`, `bedrock-agentcore`, or `execute-api`). If unset, typed AWS backends may provide this automatically.
minLength: 1
maxLength: 256
azure object
Azure authentication method for the backend.
managedIdentity object
Managed identity authentication settings.
clientId string required
objectId string required
resourceId string required
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing the Azure credentials. When using the default Secret resolver, the `Secret` must have keys `clientID`, `tenantID`, and `clientSecret`.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
gcp object
Google authentication method for the backend. When omitted, default Google credential discovery is used.
audience string
Explicit `aud` value for the ID token. Only valid with `IdToken` type. If not set, the `aud` is automatically derived from the backend hostname.
minLength: 1
maxLength: 256
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, containing ADC-compatible Google credential JSON. When using the default Secret resolver, this must be stored in the `credentials.json` key. When omitted, ambient credentials are used.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
type string
The type of token to generate. To authenticate to GCP services, generally an `AccessToken` is used. To authenticate to Cloud Run, an `IdToken` is used.
enum: AccessToken, IdToken
key string
Inline key to use as the value of the `Authorization` header. This option is the least secure; usage of a `Secret` is preferred.
maxLength: 2048
location object
Where backend credentials are inserted. If omitted, credentials are written to the `Authorization` header with the `Bearer ` prefix. This applies to `key`, `secretRef`, and `passthrough`.
cookie object
name string required
minLength: 1
maxLength: 256
header object
name string required
HTTPHeaderName is the name of an HTTP header. Valid values include: * "Authorization" * "Set-Cookie" Invalid values include: - ":method" - ":" is an invalid character. This means that HTTP/2 pseudo headers are not currently supported by this type. - "/invalid" - "/ " is an invalid character
pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
prefix string
minLength: 1
maxLength: 256
queryParameter object
name string required
minLength: 1
maxLength: 256
passthrough object
Passes through an existing token that has been sent by the client and validated. Other policies, like JWT and API key authentication, will strip the original client credentials. Passthrough backend authentication causes the original token to be added back into the request. If there are no client authentication policies on the request, the original token would be unchanged, so this would have no effect.
secretRef object
Credential source, defaulting to a Kubernetes `Secret`, storing the key to use as the authorization value. When using the default Secret resolver, this must be stored in the `Authorization` key.
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
extAuth object
External authentication configuration for requests sent to this backend.
backendRef object
External Authorization server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
cache object
Caches gRPC authorization results. WARNING: the safety of this feature depends on the cache key accurately capturing every request property that the authorization service uses to make a decision. For example, if the service returns different results based on both path and authorization header, both must be included in `key`; otherwise, one request may incorrectly reuse another request's authorization result. If any key expression fails to evaluate or produces an unsupported value, the request is still sent to the authorization service, but its result is not read from or written to the cache.
key []string required
Ordered list of CEL expressions evaluated against the request to construct the cache key.
minItems: 1
maxItems: 16
maxEntries integer
Maximum number of authorization results to keep in the cache. If unset, this defaults to 10000.
format: int32
minimum: 1
ttl string required
Duration string, such as `5m`, or a CEL expression that returns the duration that cached authorization results may be reused, or a timestamp when the cached authorization result expires. The expression is evaluated after the authorization response has been applied to the request.
minLength: 1
maxLength: 16384
failureMode string
Behavior when the external authorization service is unavailable or returns an error. "FailOpen" allows the request to continue. "FailClosed" (default) denies the request.
enum: FailClosed, FailOpen
forwardBody object
Whether to include the HTTP body in the authorization request. If enabled, the request body will be buffered.
maxSize string | integer required
Largest body, in bytes, that will be buffered and sent to the authorization server. If the body size is larger than `maxSize`, then the request will be rejected with a response.
string pattern: ^[+-]?([0-9]+(\.[0-9]*)?|\.[0-9]+)(([KMGTPE]i)|[numkMGTPE]|[eE](\+?0*([0-9]|1[0-8])|-0*[0-9]))?$
string minLength: 1
string maxLength: 32
grpc object
Uses the gRPC External Authorization [protocol](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto) should be used.
contextExtensions object
Additional arbitrary key-value pairs to send to the authorization server in the `context_extensions` field.
requestMetadata object
Metadata to send to the authorization server. This maps to the `metadata_context.filter_metadata` field of the request, and allows dynamic CEL expressions. If unset, by default the `envoy.filters.http.jwt_authn` key is set if the JWT policy is used as well, for compatibility.
http object
Uses HTTP to connect to the authorization server. The authorization server must return a `200` status code, otherwise the request is considered an authorization failure.
addRequestHeaders object
Additional headers to add to the request to the authorization server. While `allowedRequestHeaders` just passes the original headers through, `addRequestHeaders` allows defining custom headers based on CEL expressions.
allowedRequestHeaders []string
Additional headers from the client request that will be sent to the authorization server. If unset, the following headers are sent by default: `Authorization`.
maxItems: 64
allowedResponseHeaders []string
Headers from the authorization response that will be copied into the request to the backend.
maxItems: 64
path string
Path to send to the authorization server. If unset, this defaults to the original request path. This is a CEL expression, which allows customizing the path based on the incoming request. For example, to add a prefix, use `"/prefix/" + request.path`.
minLength: 1
maxLength: 16384
redirect string
Optional expression that determines a path to redirect to on authorization failure. This is useful to redirect to a sign-in page.
minLength: 1
maxLength: 16384
responseMetadata object
Metadata fields to construct from the authorization response. These will be included under the `extauthz` variable in future CEL expressions. Setting this is useful for things like logging usernames, without needing to include them as headers to the backend, as `allowedResponseHeaders` would.
health object
Settings for passive and active health checking.
eviction object
Settings for evicting unhealthy backends.
consecutiveFailures integer
Number of consecutive unhealthy responses required before the backend is evicted. For example, a value of 5 means the backend must receive 5 unhealthy responses in a row before being evicted. When both consecutiveFailures and healthThreshold are set, the backend is evicted when either condition is met. When neither is set, a single unhealthy response can trigger eviction.
format: int32
minimum: 0
duration string
Base time a backend should be evicted after being marked unhealthy. Subsequent evictions use multiplicative backoff (duration * times_evicted). If all endpoints are evicted, the load balancer falls back to returning evicted endpoints rather than failing entirely. If unset, defaults to `3s`.
healthThreshold integer
EWMA health score threshold, expressed as 0 to 100. When set, a backend is only evicted if its computed health drops below this value after an unhealthy response. For example, 50 means the backend is evicted when its EWMA health falls below 50% following failures. Unlike consecutiveFailures (which counts consecutive failures), this uses a sliding-window average so a single success in a stream of failures can delay eviction. When both consecutiveFailures and healthThreshold are set, the backend is evicted when either condition is met. When neither is set, a single unhealthy response triggers eviction.
format: int32
minimum: 0
maximum: 100
restoreHealth integer
Health score from 0 to 100 assigned to a backend when it returns from eviction. For gradual recovery, set below 100; for full recovery immediately, set 100. If unset, the backend resumes with the health it had when evicted.
format: int32
minimum: 0
maximum: 100
unhealthyCondition string
CEL expression that determines whether a response indicates an unhealthy backend. When the expression evaluates to true, the backend is considered unhealthy and may be evicted. For example, to evict on 5xx responses: `response.code >= 500`. When unset, any 5xx response, or a connection failure, is treated as unhealthy. This default lowers the backend's health score but does not trigger eviction on its own.
minLength: 1
maxLength: 16384
http object
Settings for managing HTTP requests to the backend.
requestTimeout string
Deadline for receiving a response from the backend.
version string
HTTP protocol version to use when connecting to the backend. If not specified, the version is automatically determined: * `Service` types can specify it with `appProtocol` on the `Service` port. * If traffic is identified as gRPC, `HTTP2` is used. * If the incoming traffic was plaintext HTTP, the original protocol will be used. * If the incoming traffic was HTTPS, `HTTP1` will be used. This is because most clients will transparently upgrade HTTPS traffic to `HTTP2`, even if the backend doesn't support it.
enum: HTTP1, HTTP2
mcp object
Settings for MCP workloads. This is only applicable when connecting to a `Backend` of type `mcp`.
authentication object
MCP backend-specific authentication rules. This field is deprecated; prefer to use traffic policy `jwtAuthentication.mcp`, which ensures authentication runs before other policies such as transformation and rate limiting.
audiences []string
Allowed audiences that are allowed access. This corresponds to the `aud` claim ([RFC 7519 §4.1.3](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)). If unset, any audience is allowed.
minItems: 1
maxItems: 64
clientId string
Client ID to use for short-circuiting Dynamic Client Registration. If set, the gateway will not proxy registration requests to the IDP and instead return this client ID.
issuer string
IdP that issued the JWT. This corresponds to the `iss` claim ([RFC 7519 §4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1)).
minLength: 1
maxLength: 256
jwks object required
Remote JSON Web Key used to validate the signature of the JWT.
backendRef object required
Remote JWKS server to reach. Supported types are `Service` and static `Backend`. An `AgentgatewayPolicy` containing backend TLS config can then be attached to the `Service` or `Backend` in order to set TLS options for a connection to the remote `jwks` source.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
cacheDuration string
jwksPath string required
Path to the IdP `jwks` endpoint, relative to the root, commonly `".well-known/jwks.json"`.
minLength: 1
maxLength: 2000
mode string
Validation mode for JWT authentication.
enum: Optional, Permissive, Strict
provider string
Identity provider to use for authentication.
enum: Auth0, Keycloak, Okta
resourceMetadata object
Metadata to use for MCP resources.
authorization object
MCP backend authorization. Unlike authorization at the HTTP level, which rejects unauthorized requests with a `403` error, this policy works at the `MCPBackend` level. List operations, such as `list_tools`, will have each item evaluated. Items that do not meet the rule will be filtered. Get or call operations, such as `call_tool`, will evaluate the specific item and reject requests that do not meet the rule.
action string
The effect of this rule when it matches. If unspecified, defaults to `Allow`. `Require` rules are cumulative: all require rules must match.
enum: Allow, Deny, Require
policy object required
The authorization rule to evaluate. * `Allow`: any matching allow rule allows the request. * `Require`: every require rule must match for the request to be allowed. * `Deny`: any matching deny rule denies the request. A CEL expression that fails to evaluate does not match. Prefer `Require` for deny-by-default behavior. If at least one `Allow` rule is configured, requests are denied unless at least one allow rule matches.
matchExpressions []string required
CEL expressions that must all evaluate to true for the rule to match.
minItems: 1
maxItems: 256
guardrails object
`guardrails` routes selected JSON-RPC methods through a remote policy server.
processors []object required
`processors` is the ordered list of policy processors applied to matched methods. Processors run in the order listed; the first to reject a request short-circuits the chain.
minItems: 1
maxItems: 16
methods object required
`methods` is the allowlist of JSON-RPC methods (e.g. `tools/call`, `tools/list`) routed through this processor, keyed by method name with the phase it runs in. Keys may be exact, a prefix wildcard (`tools/*`), a suffix wildcard (`*/list`), or `*` for all methods; the most specific match wins. Methods matching no key, including unknown ones, bypass this processor.
remote object
`remote` configures a gRPC policy server.
allowedRequestHeaders []string
`allowedRequestHeaders` lists the incoming request headers forwarded to the policy server in `McpRequest.headers`. If empty, all headers and pseudo-headers (`:authority`, `:method`, ...) are forwarded. Matching is case-insensitive.
maxItems: 64
backendRef object required
`backendRef` references the remote guardrails policy server. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
disallowedRequestHeaders []string
`disallowedRequestHeaders` lists header names never forwarded to the policy server, even if listed in `allowedRequestHeaders`. Matching is case-insensitive.
maxItems: 64
failureMode string
`failureMode` controls behavior when the policy server is unreachable or returns an error. `FailOpen` allows the request; `FailClosed` (default) denies it.
enum: FailClosed, FailOpen
metadata object
`metadata` is static or CEL-evaluated context surfaced to the policy server as fields of the `metadata_context` google.protobuf.Struct, keyed by config key. Values are CEL expressions.
tcp object
Settings for managing TCP connections to the backend.
connectTimeout string
Deadline for establishing a connection to the destination.
keepalive object
Settings for enabling TCP keepalives on the connection.
interval string
Time between keepalive probes. If unset, this defaults to 180s.
retries integer
Maximum number of keepalive probes to send before dropping the connection. If unset, this defaults to 9.
format: int32
minimum: 1
maximum: 64
time string
Time a connection needs to be idle before keepalive probes start being sent. If unset, this defaults to 180s.
tls object
Settings for managing TLS connections to the backend. If this field is set, TLS will be initiated to the backend; the system trusted CA certificates will be used to validate the server, and the SNI will automatically be set based on the destination.
alpnProtocols []string
Application-Layer Protocol Negotiation (`ALPN`) value to use in the TLS handshake. If not present, defaults to `["h2", "http/1.1"]`.
minItems: 1
maxItems: 16
caCertificateRefs []object
CA certificate `ConfigMap` to use to verify the server certificate. If unset, the system's trusted certificates are used.
maxItems: 1
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
insecureSkipVerify string
Originates TLS but skips verification of the backend's certificate. WARNING: This is an insecure option that should only be used if the risks are understood. There are two modes: * `All` disables all TLS verification. * `Hostname` verifies the CA certificate is trusted, but ignores any mismatch of hostname or SANs. Note that this method is still insecure; prefer setting `verifySubjectAltNames` to customize the valid hostnames if possible.
enum: All, Hostname
keyExchangeGroups []string
Ordered list of key exchange groups for a TLS connection. For example: `X25519_MLKEM768,X25519`.
mtlsCertificateRef []object
Enables mutual TLS to the backend, using the specified key (`tls.key`) and cert (`tls.crt`) from the referenced credential source, defaulting to a Kubernetes `Secret`. An optional `ca.cert` field, if present, will be used to verify the server certificate. If `caCertificateRefs` is also specified, the `caCertificateRefs` field takes priority. If unspecified, no client certificate will be used.
maxItems: 1
group string
The API group of the referenced credential. Empty selects the core API group.
kind string
The kind of the referenced credential. Empty defaults to `Secret`.
name string required
The name of the referenced credential.
minLength: 1
maxLength: 253
sni string
Server Name Indicator (`SNI`) to use in the TLS handshake. If unset, the `SNI` is automatically set based on the destination hostname.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
minLength: 1
maxLength: 253
verifySubjectAltNames []string
Subject Alternative Names (`SAN`) to verify in the server certificate. If not present, the destination hostname is automatically used.
minItems: 1
maxItems: 16
transformation object
Mutates and transforms requests and responses sent to and from the backend.
request object
Request transformation settings.
add []object
Headers to add to the request and what each value should be set to. If there is already a header with these values then append the value as an extra entry.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
body string
HTTP body transformation.
minLength: 1
maxLength: 16384
metadata object
Stores CEL-evaluated values under the `metadata` CEL variable for subsequent policy evaluations. `metadata` is evaluated before header or body transformations.
remove []string
Header names to remove from the request or response.
minItems: 1
maxItems: 16
set []object
Headers to set and the values to use.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
response object
Response transformation settings.
add []object
Headers to add to the request and what each value should be set to. If there is already a header with these values then append the value as an extra entry.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
body string
HTTP body transformation.
minLength: 1
maxLength: 16384
metadata object
Stores CEL-evaluated values under the `metadata` CEL variable for subsequent policy evaluations. `metadata` is evaluated before header or body transformations.
remove []string
Header names to remove from the request or response.
minItems: 1
maxItems: 16
set []object
Headers to set and the values to use.
minItems: 1
maxItems: 16
name string required
The name of the header to add.
pattern: ^:?[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
minLength: 1
maxLength: 256
value string required
CEL expression that generates the output value for the header.
minLength: 1
maxLength: 16384
tunnel object
Settings for managing tunnel connections, with behavior like `HTTPS_PROXY`, to the backend.
backendRef object required
Proxy server to reach. Supported types: `Service` and `Backend`.
group string
Group is the group of the referent. For example, "gateway.networking.k8s.io". When unspecified or empty string, core API group is inferred.
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
maxLength: 253
kind string
Kind is the Kubernetes resource kind of the referent. For example "Service". Defaults to "Service" when not specified. ExternalName services can refer to CNAME DNS records that may live outside of the cluster and as such are difficult to reason about in terms of conformance. They also may not be safe to forward to (see CVE-2021-25740 for more information). Implementations SHOULD NOT support ExternalName Services. Support: Core (Services with a type other than ExternalName) Support: Implementation-specific (Services with type ExternalName)
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
minLength: 1
maxLength: 63
name string required
Name is the name of the referent.
minLength: 1
maxLength: 253
namespace string
Namespace is the namespace of the backend. When unspecified, the local namespace is inferred. Note that when a namespace different than the local namespace is specified, a ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. Support: Core
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
minLength: 1
maxLength: 63
port integer
Port specifies the destination port number to use for this resource. Port is required when the referent is a Kubernetes Service. In this case, the port number is the service port number, not the target port. For other resources, destination port might be derived from the referent resource or this field.
format: int32
minimum: 1
maximum: 65535
static object
Static hostname, IP address, or Unix Domain Socket backend.
host string
Host to connect to for TCP backends.
minLength: 1
maxLength: 256
port integer
Port to connect to for TCP backends.
format: int32
minimum: 1
maximum: 65535
unixPath string
Filesystem path to a Unix Domain Socket. The gateway pod must share a volume with the target (e.g., via emptyDir sidecar pattern). Mutually exclusive with host/port.
minLength: 1
status object
Current backend status.
conditions []object
Current condition state for the backend.
maxItems: 8
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316

No matches. Try .spec.a2a for an exact path