APIRule

The apirules.gateway.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format the API Gateway Controller listens for. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy
kubectl get crd apirules.gateway.kyma-project.io -o yaml

Sample custom resource

This is a sample custom resource (CR) that the API Gateway Controller listens for to expose a service. This example has the rules section specified which makes the API Gateway Controller create an Oathkeeper Access Rule for the service.

  • v1beta1
  • v1alpha1

The following tables list all the possible parameters of a given resource together with their descriptions:

CAUTION: If service is not defined at spec.service level, all defined rules must have service defined at spec.rules.service level, otherwise the validation fails.

APIRule.gateway.kyma-project.io/v1beta1

Spec:

ParameterTypeDescription
gateway (required)stringSpecifies the Istio Gateway to be used.
host (required)stringSpecifies the URL of the exposed service.
rules (required)[]objectRepresents the array of Oathkeeper access rules to be applied.
rules.accessStrategies (required)[]objectSpecifies the list of access strategies. All strategies listed in Oathkeeper documentation are supported.
rules.accessStrategies.configobjectConfigures the handler. Configuration keys vary per handler.
rules.accessStrategies.config.jwks_urls[]stringSpecifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. The value must begin with either http://, https://, or file://.
rules.accessStrategies.config.trusted_issuers[]stringIf the trusted_issuers field is set, the JWT must contain a value for the claim iss that matches exactly (case-sensitive) one of the values of trusted_issuers. The value must begin with either http://, https://, or file://.
rules.accessStrategies.handler (required)stringSpecifies the name of the handler.
rules.methods (required)[]stringRepresents the list of allowed HTTP request methods available for the spec.rules.path.
rules.mutators[]objectSpecifies the list of Ory Oathkeeper mutators.
rules.mutators.configobjectConfigures the handler. Configuration keys vary per handler.
rules.mutators.handler (required)stringSpecifies the name of the handler.
rules.path (required)stringSpecifies the path of the exposed service.
rules.serviceobjectDescribes the service to expose. Overwrites the spec level service if defined.
rules.service.externalbooleanSpecifies if the service is internal (in cluster) or external.
rules.service.name (required)stringSpecifies the name of the exposed service.
rules.service.namespacestringSpecifies the Namespace of the exposed service. If not defined, it defaults to the APIRule Namespace.
rules.service.port (required)integerSpecifies the communication port of the exposed service.
rules.timeoutintegerSpecifies the timeout, in seconds, for HTTP requests made to spec.rules.path. The maximum timeout is limited to 3900 seconds (65 minutes). Timeout definitions set at this level take precedence over any timeout defined at the spec.timeout level.
serviceobjectDescribes the service to expose.
service.externalbooleanSpecifies if the service is internal (in cluster) or external.
service.name (required)stringSpecifies the name of the exposed service.
service.namespacestringSpecifies the Namespace of the exposed service. If not defined, it defaults to the APIRule Namespace.
service.port (required)integerSpecifies the communication port of the exposed service.
timeoutintegerSpecifies the timeout, in seconds, for HTTP requests for all Oathkeeper access rules. However, this value can be overridden for each individual rule. The maximum timeout is limited to 3900 seconds (65 minutes). If no timeout is specified, the default timeout of 180 seconds applies.

Status:

ParameterTypeDescription
APIRuleStatusobjectDescribes the status of APIRule.
APIRuleStatus.codestringStatus code describing APIRule.
APIRuleStatus.descstringExplains the status of APIRule.
accessRuleStatusobjectDescribes the status of ORY Oathkeeper Rule.
accessRuleStatus.codestringStatus code describing ORY Oathkeeper Rule.
accessRuleStatus.descstringExplains the status of ORY Oathkeeper Rule.
authorizationPolicyStatusobjectDescribes the status of the Istio Authorization Policy subresource.
authorizationPolicyStatus.codestringStatus code describing the Istio Authorization Policy subresource.
authorizationPolicyStatus.descstringExplains the status of the Istio Authorization Policy subresource.
lastProcessedTimestringIndicates the timestamp when the API Gateway controller last processed APIRule.
observedGenerationintegerSpecifies the generation of the resource that was observed by the API Gateway controller.
requestAuthenticationStatusobjectDescribes the status of the Istio Request Authentication subresource.
requestAuthenticationStatus.codestringStatus code describing the state of the Istio Authorization Policy subresource.
requestAuthenticationStatus.descstringExplains the status of the Istio Request Authentication subresource.
virtualServiceStatusobjectDescribes the status of Istio VirtualService.
virtualServiceStatus.codestringStatus code describing Istio VirtualService.
virtualServiceStatus.descstringExplains the status of Istio VirtualService.

APIRule.gateway.kyma-project.io/v1alpha1

CAUTION: Since Kyma 2.5.X, APIRule in version v1alpha1 has been deprecated. Consider using v1beta1.

Spec:

ParameterTypeDescription
gateway (required)stringSpecifies the Istio Gateway to be used.
rules (required)[]objectRepresents the array of Oathkeeper access rules to be applied.
rules.accessStrategies (required)[]objectSpecifies the list of access strategies. All strategies listed in Oathkeeper documentation are supported.
rules.accessStrategies.configobjectConfigures the handler. Configuration keys vary per handler.
rules.accessStrategies.config.jwks_urls[]stringSpecifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. The value must begin with either http://, https://, or file://.
rules.accessStrategies.config.trusted_issuers[]stringIf the trusted_issuers field is set, the JWT must contain a value for the claim iss that matches exactly (case-sensitive) one of the values of trusted_issuers. The value must begin with either http://, https://, or file://.
rules.accessStrategies.handler (required)stringSpecifies the name of the handler.
rules.methods (required)[]stringRepresents the list of allowed HTTP request methods available for the spec.rules.path.
rules.mutators[]objectSpecifies the list of Ory Oathkeeper mutators.
rules.mutators.configobjectConfigures the handler. Configuration keys vary per handler.
rules.mutators.handler (required)stringSpecifies the name of the handler.
rules.path (required)stringSpecifies the path of the exposed service.
service (required)objectDescribes the service to expose.
service.externalbooleanSpecifies if the service is internal (in cluster) or external.
service.host (required)stringSpecifies the URL of the exposed service.
service.name (required)stringSpecifies the name of the exposed service.
service.port (required)integerSpecifies the communication port of the exposed service.

Status:

ParameterTypeDescription
APIRuleStatusobjectDescribes the status of APIRule.
APIRuleStatus.codestringStatus code describing APIRule.
APIRuleStatus.descstringExplains the status of APIRule.
accessRuleStatusobjectDescribes the status of ORY Oathkeeper Rule.
accessRuleStatus.codestringStatus code describing ORY Oathkeeper Rule.
accessRuleStatus.descstringExplains the status of ORY Oathkeeper Rule.
lastProcessedTimestringIndicates the timestamp when the API Gateway controller last processed APIRule.
observedGenerationintegerSpecifies the generation of the resource that was observed by the API Gateway controller.
virtualServiceStatusobjectDescribes the status of Istio VirtualService.
virtualServiceStatus.codestringStatus code describing Istio VirtualService.
virtualServiceStatus.descstringExplains the status of Istio VirtualService.

Status codes

These are the status codes used to describe the VirtualServices and Oathkeeper Access Rules:

CodeDescription
OKResource created.
SKIPPEDSkipped creating a resource.
ERRORResource not created.