API Rule
The apirules.gateway.kyma-project.io
CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format the API Gateway Controller listens for. To get the up-to-date CRD and show the output in the yaml
format, run this command:
kubectl get crd apirules.gateway.kyma-project.io -o yaml
Sample custom resource
This is a sample custom resource (CR) that the API Gateway Controller listens for to expose a service. This example has the rules section specified which makes the API Gateway Controller create an Oathkeeper Access Rule for the service.
- v1beta1
- v1alpha1
The following tables list all the possible parameters of a given resource together with their descriptions:
CAUTION: If
service
is not defined at spec.service level, all defined rules must haveservice
defined at spec.rules.service level, otherwise the validation fails.
APIRule.gateway.kyma-project.io/v1beta1
Spec:
Parameter | Type | Description |
---|---|---|
gateway (required) | string | Specifies the Istio Gateway to be used. |
host (required) | string | Specifies the URL of the exposed service. |
rules (required) | []object | Represents the array of Oathkeeper access rules to be applied. |
rules.accessStrategies (required) | []object | Specifies the list of access strategies. All strategies listed in Oathkeeper documentation are supported. |
rules.accessStrategies.config | object | Configures the handler. Configuration keys vary per handler. |
rules.accessStrategies.config.jwks_urls | []string | Specifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. |
rules.accessStrategies.config.trusted_issuers | []string | If the trusted_issuers field is set, the JWT must contain a value for the claim iss that matches exactly (case-sensitive) one of the values of trusted_issuers. |
rules.accessStrategies.handler (required) | string | Specifies the name of the handler. |
rules.methods (required) | []string | Represents the list of allowed HTTP request methods available for the spec.rules.path. |
rules.mutators | []object | Specifies the list of Ory Oathkeeper mutators. |
rules.mutators.config | object | Configures the handler. Configuration keys vary per handler. |
rules.mutators.handler (required) | string | Specifies the name of the handler. |
rules.path (required) | string | Specifies the path of the exposed service. |
rules.service | object | Describes the service to expose. Overwrites the spec level service if defined. |
rules.service.external | boolean | Specifies if the service is internal (in cluster) or external. |
rules.service.name (required) | string | Specifies the name of the exposed service. |
rules.service.namespace | string | Specifies the Namespace of the exposed service. If not defined, it defaults to the APIRule Namespace. |
rules.service.port (required) | integer | Specifies the communication port of the exposed service. |
service | object | Describes the service to expose. |
service.external | boolean | Specifies if the service is internal (in cluster) or external. |
service.name (required) | string | Specifies the name of the exposed service. |
service.namespace | string | Specifies the Namespace of the exposed service. If not defined, it defaults to the APIRule Namespace. |
service.port (required) | integer | Specifies the port of the exposed service. |
Status:
Parameter | Type | Description |
---|---|---|
APIRuleStatus | object | Describes the status of APIRule. |
APIRuleStatus.code | string | Status code describing APIRule. |
APIRuleStatus.desc | string | Explains the status of APIRule. |
accessRuleStatus | object | Describes the status of ORY Oathkeeper Rule. |
accessRuleStatus.code | string | Status code describing ORY Oathkeeper Rule. |
accessRuleStatus.desc | string | Explains the status of ORY Oathkeeper Rule. |
authorizationPolicyStatus | object | Describes the status of the Istio Authorization Policy subresource. |
authorizationPolicyStatus.code | string | Status code describing the Istio Authorization Policy subresource. |
authorizationPolicyStatus.desc | string | Explains the status of the Istio Authorization Policy subresource. |
lastProcessedTime | string | Indicates the timestamp when the API Gateway controller last processed APIRule. |
observedGeneration | integer | Specifies the generation of the resource that was observed by the API Gateway controller. |
requestAuthenticationStatus | object | Describes the status of the Istio Request Authentication subresource. |
requestAuthenticationStatus.code | string | Status code describing the state of the Istio Authorization Policy subresource. |
requestAuthenticationStatus.desc | string | Explains the status of the Istio Request Authentication subresource. |
virtualServiceStatus | object | Describes the status of Istio VirtualService. |
virtualServiceStatus.code | string | Status code describing Istio VirtualService. |
virtualServiceStatus.desc | string | Explains the status of Istio VirtualService. |
APIRule.gateway.kyma-project.io/v1alpha1
CAUTION: Since Kyma 2.5.X, APIRule in version v1alpha1 has been deprecated. Consider using v1beta1.
Spec:
Parameter | Type | Description |
---|---|---|
gateway (required) | string | Specifies the Istio Gateway to be used. |
rules (required) | []object | Represents the array of Oathkeeper access rules to be applied. |
rules.accessStrategies (required) | []object | Specifies the list of access strategies. All strategies listed in Oathkeeper documentation are supported. |
rules.accessStrategies.config | object | Configures the handler. Configuration keys vary per handler. |
rules.accessStrategies.config.jwks_urls | []string | Specifies the array of URLs from which Ory Oathkeeper can retrieve JSON Web Keys for validating JSON Web Token. |
rules.accessStrategies.config.trusted_issuers | []string | If the trusted_issuers field is set, the JWT must contain a value for the claim iss that matches exactly (case-sensitive) one of the values of trusted_issuers. |
rules.accessStrategies.handler (required) | string | Specifies the name of the handler. |
rules.methods (required) | []string | Represents the list of allowed HTTP request methods available for the spec.rules.path. |
rules.mutators | []object | Specifies the list of Oathkeeper mutators. |
rules.mutators.config | object | Configures the handler. Configuration keys vary per handler. |
rules.mutators.handler (required) | string | Specifies the name of the handler. |
rules.path (required) | string | Specifies the path of the exposed service. |
service (required) | object | Describes the service to expose. |
service.external | boolean | Defines if the service is internal (in cluster) or external. |
service.host (required) | string | Specifies the URL of the exposed service. |
service.name (required) | string | Specifies the name of the exposed service. |
service.port (required) | integer | Specifies the communication port of the exposed service. |
Status:
Parameter | Type | Description |
---|---|---|
APIRuleStatus | object | Describes the status of APIRule. |
APIRuleStatus.code | string | Status code describing APIRule. |
APIRuleStatus.desc | string | Explains the status of APIRule. |
accessRuleStatus | object | Describes the status of ORY Oathkeeper Rule. |
accessRuleStatus.code | string | Status code describing ORY Oathkeeper Rule. |
accessRuleStatus.desc | string | Explains the status of ORY Oathkeeper Rule. |
lastProcessedTime | string | Indicates the timestamp when the API Gateway controller last processed APIRule. |
observedGeneration | integer | Specifies the generation of the resource that was observed by the API Gateway controller. |
virtualServiceStatus | object | Describes the status of Istio VirtualService. |
virtualServiceStatus.code | string | Status code describing Istio VirtualService. |
virtualServiceStatus.desc | string | Explains the status of Istio VirtualService. |
Status codes
These are the status codes used to describe the VirtualServices and Oathkeeper Access Rules:
Code | Description |
---|---|
OK | Resource created. |
SKIPPED | Skipped creating a resource. |
ERROR | Resource not created. |