APIRule
The apirules.gateway.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format the API Gateway Controller listens for. To get the up-to-date CRD and show the output in the yaml format, run this command:
Click to copy
kubectl get crd apirules.gateway.kyma-project.io -o yamlSample custom resource
This is a sample custom resource (CR) that the API Gateway Controller listens for to expose a service. This example has the rules section specified which makes the API Gateway Controller create an Oathkeeper Access Rule for the service.
- v1beta1
- v1alpha1
The following tables list all the possible parameters of a given resource together with their descriptions:
CAUTION: If
serviceis not defined at spec.service level, all defined rules must haveservicedefined at spec.rules.service level, otherwise the validation fails.
APIRule.gateway.kyma-project.io/v1beta1
Spec:
| Parameter | Type | Description |
|---|---|---|
| gateway (required) | string | Specifies the Istio Gateway to be used. |
| host (required) | string | Specifies the URL of the exposed service. |
| rules (required) | []object | Represents the array of Oathkeeper access rules to be applied. |
| rules.accessStrategies (required) | []object | Specifies the list of access strategies. All strategies listed in Oathkeeper documentation are supported. |
| rules.accessStrategies.config | object | Configures the handler. Configuration keys vary per handler. |
| rules.accessStrategies.config.jwks_urls | []string | Specifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. The value must begin with either http://, https://, or file://. |
| rules.accessStrategies.config.trusted_issuers | []string | If the trusted_issuers field is set, the JWT must contain a value for the claim iss that matches exactly (case-sensitive) one of the values of trusted_issuers. The value must begin with either http://, https://, or file://. |
| rules.accessStrategies.handler (required) | string | Specifies the name of the handler. |
| rules.methods (required) | []string | Represents the list of allowed HTTP request methods available for the spec.rules.path. |
| rules.mutators | []object | Specifies the list of Ory Oathkeeper mutators. |
| rules.mutators.config | object | Configures the handler. Configuration keys vary per handler. |
| rules.mutators.handler (required) | string | Specifies the name of the handler. |
| rules.path (required) | string | Specifies the path of the exposed service. |
| rules.service | object | Describes the service to expose. Overwrites the spec level service if defined. |
| rules.service.external | boolean | Specifies if the service is internal (in cluster) or external. |
| rules.service.name (required) | string | Specifies the name of the exposed service. |
| rules.service.namespace | string | Specifies the Namespace of the exposed service. If not defined, it defaults to the APIRule Namespace. |
| rules.service.port (required) | integer | Specifies the communication port of the exposed service. |
| rules.timeout | integer | Specifies the timeout, in seconds, for HTTP requests made to spec.rules.path. The maximum timeout is limited to 3900 seconds (65 minutes). Timeout definitions set at this level take precedence over any timeout defined at the spec.timeout level. |
| service | object | Describes the service to expose. |
| service.external | boolean | Specifies if the service is internal (in cluster) or external. |
| service.name (required) | string | Specifies the name of the exposed service. |
| service.namespace | string | Specifies the Namespace of the exposed service. If not defined, it defaults to the APIRule Namespace. |
| service.port (required) | integer | Specifies the communication port of the exposed service. |
| timeout | integer | Specifies the timeout, in seconds, for HTTP requests for all Oathkeeper access rules. However, this value can be overridden for each individual rule. The maximum timeout is limited to 3900 seconds (65 minutes). If no timeout is specified, the default timeout of 180 seconds applies. |
Status:
| Parameter | Type | Description |
|---|---|---|
| APIRuleStatus | object | Describes the status of APIRule. |
| APIRuleStatus.code | string | Status code describing APIRule. |
| APIRuleStatus.desc | string | Explains the status of APIRule. |
| accessRuleStatus | object | Describes the status of ORY Oathkeeper Rule. |
| accessRuleStatus.code | string | Status code describing ORY Oathkeeper Rule. |
| accessRuleStatus.desc | string | Explains the status of ORY Oathkeeper Rule. |
| authorizationPolicyStatus | object | Describes the status of the Istio Authorization Policy subresource. |
| authorizationPolicyStatus.code | string | Status code describing the Istio Authorization Policy subresource. |
| authorizationPolicyStatus.desc | string | Explains the status of the Istio Authorization Policy subresource. |
| lastProcessedTime | string | Indicates the timestamp when the API Gateway controller last processed APIRule. |
| observedGeneration | integer | Specifies the generation of the resource that was observed by the API Gateway controller. |
| requestAuthenticationStatus | object | Describes the status of the Istio Request Authentication subresource. |
| requestAuthenticationStatus.code | string | Status code describing the state of the Istio Authorization Policy subresource. |
| requestAuthenticationStatus.desc | string | Explains the status of the Istio Request Authentication subresource. |
| virtualServiceStatus | object | Describes the status of Istio VirtualService. |
| virtualServiceStatus.code | string | Status code describing Istio VirtualService. |
| virtualServiceStatus.desc | string | Explains the status of Istio VirtualService. |
APIRule.gateway.kyma-project.io/v1alpha1
CAUTION: Since Kyma 2.5.X, APIRule in version v1alpha1 has been deprecated. Consider using v1beta1.
Spec:
| Parameter | Type | Description |
|---|---|---|
| gateway (required) | string | Specifies the Istio Gateway to be used. |
| rules (required) | []object | Represents the array of Oathkeeper access rules to be applied. |
| rules.accessStrategies (required) | []object | Specifies the list of access strategies. All strategies listed in Oathkeeper documentation are supported. |
| rules.accessStrategies.config | object | Configures the handler. Configuration keys vary per handler. |
| rules.accessStrategies.config.jwks_urls | []string | Specifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. The value must begin with either http://, https://, or file://. |
| rules.accessStrategies.config.trusted_issuers | []string | If the trusted_issuers field is set, the JWT must contain a value for the claim iss that matches exactly (case-sensitive) one of the values of trusted_issuers. The value must begin with either http://, https://, or file://. |
| rules.accessStrategies.handler (required) | string | Specifies the name of the handler. |
| rules.methods (required) | []string | Represents the list of allowed HTTP request methods available for the spec.rules.path. |
| rules.mutators | []object | Specifies the list of Ory Oathkeeper mutators. |
| rules.mutators.config | object | Configures the handler. Configuration keys vary per handler. |
| rules.mutators.handler (required) | string | Specifies the name of the handler. |
| rules.path (required) | string | Specifies the path of the exposed service. |
| service (required) | object | Describes the service to expose. |
| service.external | boolean | Specifies if the service is internal (in cluster) or external. |
| service.host (required) | string | Specifies the URL of the exposed service. |
| service.name (required) | string | Specifies the name of the exposed service. |
| service.port (required) | integer | Specifies the communication port of the exposed service. |
Status:
| Parameter | Type | Description |
|---|---|---|
| APIRuleStatus | object | Describes the status of APIRule. |
| APIRuleStatus.code | string | Status code describing APIRule. |
| APIRuleStatus.desc | string | Explains the status of APIRule. |
| accessRuleStatus | object | Describes the status of ORY Oathkeeper Rule. |
| accessRuleStatus.code | string | Status code describing ORY Oathkeeper Rule. |
| accessRuleStatus.desc | string | Explains the status of ORY Oathkeeper Rule. |
| lastProcessedTime | string | Indicates the timestamp when the API Gateway controller last processed APIRule. |
| observedGeneration | integer | Specifies the generation of the resource that was observed by the API Gateway controller. |
| virtualServiceStatus | object | Describes the status of Istio VirtualService. |
| virtualServiceStatus.code | string | Status code describing Istio VirtualService. |
| virtualServiceStatus.desc | string | Explains the status of Istio VirtualService. |
Status codes
These are the status codes used to describe the VirtualServices and Oathkeeper Access Rules:
| Code | Description |
|---|---|
| OK | Resource created. |
| SKIPPED | Skipped creating a resource. |
| ERROR | Resource not created. |