Packages:
Package v1alpha1 contains API Schema definitions for the gateway.nginx.org API group.
Resource Types:
AuthenticationFilter configures request authentication and is referenced by HTTPRoute and GRPCRoute filters using ExtensionRef.
| Field | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||||||
kindstring |
AuthenticationFilter |
||||||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||
specAuthenticationFilterSpec |
Spec defines the desired state of the AuthenticationFilter.
|
||||||||
statusAuthenticationFilterStatus |
Status defines the state of the AuthenticationFilter. |
ClientSettingsPolicy is an Inherited Attached Policy. It provides a way to configure the behavior of the connection between the client and NGINX Gateway Fabric.
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||||
kindstring |
ClientSettingsPolicy |
||||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
specClientSettingsPolicySpec |
Spec defines the desired state of the ClientSettingsPolicy.
|
||||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the state of the ClientSettingsPolicy. |
NginxGateway represents the dynamic configuration for an NGINX Gateway Fabric control plane.
| Field | Description | ||
|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||
kindstring |
NginxGateway |
||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||
specNginxGatewaySpec |
NginxGatewaySpec defines the desired state of the NginxGateway.
|
||
statusNginxGatewayStatus |
NginxGatewayStatus defines the state of the NginxGateway. |
ProxySettingsPolicy is an Inherited Attached Policy. It provides a way to configure the behavior of the connection between NGINX Gateway Fabric and the upstream applications (backends).
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||||
kindstring |
ProxySettingsPolicy |
||||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||
specProxySettingsPolicySpec |
Spec defines the desired state of the ProxySettingsPolicy.
|
||||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the state of the ProxySettingsPolicy. |
RateLimitPolicy is an Inherited Attached Policy. It provides a way to set local rate limiting rules in NGINX.
| Field | Description | ||||
|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||
kindstring |
RateLimitPolicy |
||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
specRateLimitPolicySpec |
Spec defines the desired state of the RateLimitPolicy.
|
||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the state of the RateLimitPolicy. |
SnippetsFilter is a filter that allows inserting NGINX configuration into the generated NGINX config for HTTPRoute and GRPCRoute resources.
| Field | Description | ||
|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||
kindstring |
SnippetsFilter |
||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||
specSnippetsFilterSpec |
Spec defines the desired state of the SnippetsFilter.
|
||
statusSnippetsFilterStatus |
Status defines the state of the SnippetsFilter. |
SnippetsPolicy provides a way to inject NGINX snippets into the configuration on Gateway level.
| Field | Description | ||||
|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||
kindstring |
SnippetsPolicy |
||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
specSnippetsPolicySpec |
Spec defines the desired state of the SnippetsPolicy.
|
||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the current state of the SnippetsPolicy. |
UpstreamSettingsPolicy is a Direct Attached Policy. It provides a way to configure the behavior of the connection between NGINX and the upstream applications.
| Field | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||||||||
kindstring |
UpstreamSettingsPolicy |
||||||||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||
specUpstreamSettingsPolicySpec |
Spec defines the desired state of the UpstreamSettingsPolicy.
|
||||||||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the state of the UpstreamSettingsPolicy. |
WAFPolicy is an Inherited Attached Policy. It provides a way to configure F5 WAF for NGINX for Gateways and Routes by referencing compiled WAF policy bundles. Bundles can be fetched directly from an HTTP/HTTPS URL (type: HTTP), from an NGINX Instance Manager instance (type: NIM), or from an F5 NGINX One Console instance (type: N1C).
| Field | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha1
|
||||||||
kindstring |
WAFPolicy |
||||||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||
specWAFPolicySpec |
Spec defines the desired state of the WAFPolicy.
|
||||||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the state of the WAFPolicy. |
string alias)¶
(Appears on: AuthenticationFilterSpec)
AuthType defines the authentication mechanism.
| Value | Description |
|---|---|
"Basic" |
AuthTypeBasic is the HTTP Basic Authentication mechanism. |
"JWT" |
AuthTypeJWT is the JWT Authentication mechanism. |
"OIDC" |
AuthTypeOIDC is the OpenID Connect Authentication mechanism. |
string alias)¶
AuthenticationFilterConditionReason is a reason for an AuthenticationFilter condition type.
| Value | Description |
|---|---|
"Accepted" |
AuthenticationFilterConditionReasonAccepted is used with the Accepted condition type when the condition is true. |
"Invalid" |
AuthenticationFilterConditionReasonInvalid is used with the Accepted condition type when the filter is invalid. |
string alias)¶
AuthenticationFilterConditionType is a type of condition associated with AuthenticationFilter.
| Value | Description |
|---|---|
"Accepted" |
AuthenticationFilterConditionTypeAccepted indicates that the AuthenticationFilter is accepted. Possible reasons for this condition to be True: * Accepted Possible reasons for this condition to be False: * Invalid. |
(Appears on: AuthenticationFilter)
AuthenticationFilterSpec defines the desired configuration.
| Field | Description |
|---|---|
basicBasicAuth |
(Optional)
Basic configures HTTP Basic Authentication. |
oidcOIDCAuth |
(Optional)
OIDC configures OpenID Connect Authentication (NGINX Plus). |
jwtJWTAuth |
(Optional)
JWT configures JSON Web Token authentication (NGINX Plus). |
typeAuthType |
Type selects the authentication mechanism. |
(Appears on: AuthenticationFilter)
AuthenticationFilterStatus defines the state of AuthenticationFilter.
| Field | Description |
|---|---|
controllers[]ControllerStatus |
Controllers is a list of Gateway API controllers that processed the AuthenticationFilter and the status of the AuthenticationFilter with respect to each controller. |
(Appears on: AuthenticationFilterSpec)
BasicAuth configures HTTP Basic Authentication.
| Field | Description |
|---|---|
secretRefLocalObjectReference |
SecretRef references a Secret containing credentials in the same namespace. |
realmstring |
Realm used by NGINX |
(Appears on: LogSource, PolicySource)
BundleAuth configures authentication for bundle fetching.
| Field | Description |
|---|---|
secretRefLocalObjectReference |
SecretRef references a Kubernetes Secret in the same namespace as the WAFPolicy. The Secret may contain: - “username” and “password” fields for HTTP Basic Authentication - “token” field for Bearer Token Authentication (NIM) or APIToken Authentication (N1C) |
(Appears on: LogSource, PolicySource)
BundlePolling configures automatic re-fetching of a bundle.
| Field | Description |
|---|---|
intervalKubernetes meta/v1.Duration |
(Optional)
Interval is the period between poll cycles. Defaults to 5m when polling is enabled but no interval is set. |
enabledbool |
(Optional)
Enabled activates periodic re-fetching of the bundle. When true, NGF fetches the bundle on each interval and deploys it only if its checksum differs from the last successfully fetched version. |
(Appears on: LogSource, PolicySource)
BundleValidation configures integrity verification for a bundle. Exactly one of verifyChecksum or expectedChecksum may be set.
| Field | Description |
|---|---|
expectedChecksumstring |
(Optional)
ExpectedChecksum is the expected SHA256 checksum of the bundle. If set, the downloaded bundle must match this checksum or it will be rejected. For N1C sources, the checksum reported by the N1C API is verified automatically; set this field only if you want to enforce an additional, independently known value. |
verifyChecksumbool |
(Optional)
VerifyChecksum enables automatic checksum verification by fetching a companion
checksum file at |
(Appears on: ClientSettingsPolicySpec)
ClientBody contains the settings for the client request body.
| Field | Description |
|---|---|
maxSizeSize |
(Optional)
MaxSize sets the maximum allowed size of the client request body. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Setting size to 0 disables checking of client request body size. Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size. |
timeoutDuration |
(Optional)
Timeout defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the request is terminated with the 408 (Request Time-out) error. Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout. |
(Appears on: ClientSettingsPolicySpec)
ClientKeepAlive defines the keep-alive settings for clients.
| Field | Description |
|---|---|
requestsint32 |
(Optional)
Requests sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed. Closing connections periodically is necessary to free per-connection memory allocations. Therefore, using too high maximum number of requests is not recommended as it can lead to excessive memory usage. Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests. |
timeDuration |
(Optional)
Time defines the maximum time during which requests can be processed through one keep-alive connection. After this time is reached, the connection is closed following the subsequent request processing. Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_time. |
timeoutClientKeepAliveTimeout |
(Optional)
Timeout defines the keep-alive timeouts for clients. |
minTimeoutDuration |
(Optional)
MinTimeout defines the timeout for which the keep-alive client connection will not be closed on the server side for connection reuse or on graceful shutdown of worker processes. Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_min_timeout. |
(Appears on: ClientKeepAlive)
ClientKeepAliveTimeout defines the timeouts related to keep-alive client connections. Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout.
| Field | Description |
|---|---|
serverDuration |
(Optional)
Server sets the timeout during which a keep-alive client connection will stay open on the server side. Setting this value to 0 disables keep-alive client connections. |
headerDuration |
(Optional)
Header sets the timeout in the “Keep-Alive: timeout=time” response header field. |
(Appears on: ClientSettingsPolicy)
ClientSettingsPolicySpec defines the desired state of ClientSettingsPolicy.
| Field | Description |
|---|---|
bodyClientBody |
(Optional)
Body defines the client request body settings. |
keepAliveClientKeepAlive |
(Optional)
KeepAlive defines the keep-alive settings. |
targetRefsigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRef identifies an API object to apply the policy to. Object must be in the same namespace as the policy. Support: Gateway, HTTPRoute, GRPCRoute. |
string alias)¶
(Appears on: Logging)
ControllerLogLevel type defines the logging level for the control plane.
| Value | Description |
|---|---|
"debug" |
ControllerLogLevelDebug is the debug level for control plane logging. |
"error" |
ControllerLogLevelError is the error level for control plane logging. |
"info" |
ControllerLogLevelInfo is the info level for control plane logging. |
(Appears on: AuthenticationFilterStatus, SnippetsFilterStatus)
| Field | Description |
|---|---|
controllerNamesigs.k8s.io/gateway-api/apis/v1.GatewayController |
ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. |
conditions[]Kubernetes meta/v1.Condition |
(Optional)
Conditions describe the status of the SnippetsFilter. |
string alias)¶
(Appears on: LogSource)
DefaultLogProfile identifies a built-in WAF log profile bundle.
| Value | Description |
|---|---|
"log_all" |
DefaultLogProfileAll logs all events. |
"log_blocked" |
DefaultLogProfileBlocked logs blocked events. |
"log_default" |
DefaultLogProfileDefault logs illegal events (equivalent to log_illegal). |
"log_grpc_all" |
DefaultLogProfileGRPCAll logs all gRPC events. |
"log_grpc_blocked" |
DefaultLogProfileGRPCBlocked logs blocked gRPC events. |
"log_grpc_illegal" |
DefaultLogProfileGRPCIllegal logs illegal gRPC events. |
"log_illegal" |
DefaultLogProfileIllegal logs illegal events. |
string alias)¶
(Appears on: ClientBody, ClientKeepAlive, ClientKeepAliveTimeout, JWTAuth, OIDCSessionConfig, ProxyTimeout, UpstreamKeepAlive, DNSResolver, TelemetryExporter)
Duration is a string value representing a duration in time. Duration can be specified in milliseconds (ms), seconds (s), minutes (m), hours (h). A value without a suffix is seconds. Examples: 120s, 50ms, 5m, 1h.
(Appears on: LogSource, PolicySource)
HTTPBundleSource configures direct bundle fetching from an HTTP/HTTPS URL.
| Field | Description |
|---|---|
urlstring |
URL is the full URL of the compiled policy bundle (.tgz), e.g. “https://storage.example.com/bundles/policy.tgz”. |
string alias)¶
(Appears on: UpstreamSettingsPolicySpec)
HashMethodKey defines the key used for hash-based load balancing methods. The key must be a valid NGINX variable name starting with ‘$’ followed by lowercase letters and underscores only. For a full list of NGINX variables, refer to: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#variables
(Appears on: AuthenticationFilterSpec)
JWTAuth configures JWT-based authentication (NGINX Plus).
| Field | Description |
|---|---|
fileJWTFileKeySource |
(Optional)
File specifies local JWKS configuration. Required when Source == File. |
keyCacheDuration |
(Optional)
KeyCache is the cache duration for keys.
Configures |
remoteJWTRemoteKeySource |
(Optional)
Remote specifies remote JWKS configuration. Required when Source == Remote. |
realmstring |
Realm used by NGINX |
sourceJWTKeySource |
Source selects how JWT keys are provided: local file or remote JWKS. |
(Appears on: JWTAuth)
JWTFileKeySource specifies local JWKS key configuration.
| Field | Description |
|---|---|
secretRefLocalObjectReference |
SecretRef references a Secret containing the JWKS. |
string alias)¶
(Appears on: JWTAuth)
JWTKeySource specifies the source of the keys used to verify JWT signatures.
| Value | Description |
|---|---|
"File" |
JWTKeySourceFile configures JWT to fetch JWKS from a local secret. |
"Remote" |
JWTKeySourceRemote configures JWT to fetch JWKS from a remote source. |
(Appears on: JWTAuth)
JWTRemoteKeySource specifies remote JWKS configuration.
| Field | Description |
|---|---|
uristring |
URI is the JWKS endpoint. |
caCertificateRefs[]LocalObjectReference |
(Optional)
CACertificateRefs references a list of secrets containing trusted CA certificates in PEM format used to verify the server certificate of the JWKS endpoint. The referenced secrets must contain an entry with the key “ca.crt”. Only one secret can be referenced currently. If not specified, the system CA bundle is used. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificate |
string alias)¶
(Appears on: UpstreamSettingsPolicySpec)
LoadBalancingType defines the supported load balancing methods.
| Value | Description |
|---|---|
"hash" |
LoadBalancingTypeHash enables generic hash-based load balancing, routing requests to upstream servers based on a hash of a specified key HashMethodKey field must be set when this method is selected. Example configuration: hash $binary_remote_addr;. |
"hash consistent" |
LoadBalancingTypeHashConsistent enables consistent hash-based load balancing, which minimizes the number of keys remapped when a server is added or removed. HashMethodKey field must be set when this method is selected. Example configuration: hash $binary_remote_addr consistent;. |
"ip_hash" |
LoadBalancingTypeIPHash enables IP hash-based load balancing, ensuring requests from the same client IP are routed to the same upstream server. |
"least_conn" |
LoadBalancingTypeLeastConnection enables least-connections load balancing, routing requests to the upstream server with the fewest active connections. |
"least_time header" |
LoadBalancingTypeLeastTimeHeader enables least-time load balancing, routing requests to the upstream server with the least time to receive the response header. |
"least_time header inflight" |
LoadBalancingTypeLeastTimeHeaderInflight enables least-time load balancing, routing requests to the upstream server with the least time to receive the response header, considering the incomplete requests. |
"least_time last_byte" |
LoadBalancingTypeLeastTimeLastByte enables least-time load balancing, routing requests to the upstream server with the least time to receive the full response. |
"least_time last_byte inflight" |
LoadBalancingTypeLeastTimeLastByteInflight enables least-time load balancing, routing requests to the upstream server with the least time to receive the full response, considering the incomplete requests. |
"random" |
LoadBalancingTypeRandom enables random load balancing, routing requests to upstream servers in a random manner. |
"random two" |
LoadBalancingTypeRandomTwo enables a variation of random load balancing that randomly selects two servers and forwards traffic to one of them. The default method is least_conn which passes a request to a server with the least number of active connections. |
"random two least_conn" |
LoadBalancingTypeRandomTwoLeastConnection enables a variation of least-connections balancing that randomly selects two servers and forwards traffic to the one with fewer active connections. |
"random two least_time=header" |
LoadBalancingTypeRandomTwoLeastTimeHeader enables a variation of least-time load balancing that randomly selects two servers and forwards traffic to the one with the least time to receive the response header. |
"random two least_time=last_byte" |
LoadBalancingTypeRandomTwoLeastTimeLastByte enables a variation of least-time load balancing that randomly selects two servers and forwards traffic to the one with the least time to receive the full response. |
"round_robin" |
LoadBalancingTypeRoundRobin enables round-robin load balancing, distributing requests evenly across all upstream servers. |
(Appears on: BasicAuth, BundleAuth, JWTFileKeySource, JWTRemoteKeySource, LogSource, OIDCAuth, PolicySource)
LocalObjectReference specifies a local Kubernetes object.
| Field | Description |
|---|---|
namestring |
Name is the name of the referenced object. |
(Appears on: RateLimit)
LocalRateLimit contains the local rate limit rules.
| Field | Description |
|---|---|
rules[]RateLimitRule |
(Optional)
Rules contains the list of rate limit rules. |
(Appears on: WAFSecurityLog)
LogSource holds all configuration for fetching a WAF log profile bundle. Exactly one of DefaultProfile, HTTPSource, NIMSource, or N1CSource must be set.
| Field | Description |
|---|---|
defaultProfileDefaultLogProfile |
(Optional)
DefaultProfile selects one of the built-in WAF log profile bundles shipped with the WAF engine. Mutually exclusive with HTTPSource, NIMSource, and N1CSource. |
httpSourceHTTPBundleSource |
(Optional)
HTTPSource configures direct bundle fetching from an HTTP/HTTPS URL. Mutually exclusive with DefaultProfile, NIMSource and N1CSource. |
nimSourceNIMLogProfileBundleSource |
(Optional)
NIMSource configures bundle fetching from NGINX Instance Manager. Mutually exclusive with DefaultProfile, HTTPSource and N1CSource. |
n1cSourceN1CLogProfileBundleSource |
(Optional)
N1CSource configures bundle fetching from F5 NGINX One Console. Mutually exclusive with DefaultProfile, HTTPSource, and NIMSource. |
authBundleAuth |
(Optional)
Auth configures authentication credentials for fetching the log bundle. Only applicable when url is set. |
tlsSecretLocalObjectReference |
(Optional)
TLSSecretRef references a Secret containing a custom CA certificate (key: “ca.crt”). Only applicable when url is set. |
validationBundleValidation |
(Optional)
Validation configures integrity verification for the downloaded log bundle. Only applicable when url is set. |
pollingBundlePolling |
(Optional)
Polling configures automatic periodic re-fetching of the log bundle. Only applicable when url is set. |
timeoutKubernetes meta/v1.Duration |
(Optional)
Timeout is the maximum duration for a single log bundle fetch attempt. Defaults to 30s when not set. Only applicable when url is set. |
retryAttemptsint32 |
RetryAttempts is the maximum number of additional fetch attempts on transient failures (network errors, HTTP 5xx). Set to 0 to disable retries. Defaults to 3. Non-transient errors (HTTP 4xx, checksum mismatch) are never retried. Only applicable when url is set. |
insecureSkipVerifybool |
(Optional)
InsecureSkipVerify disables TLS certificate verification when fetching the bundle. Not recommended for production use. |
(Appears on: NginxGatewaySpec)
Logging defines logging related settings for the control plane.
| Field | Description |
|---|---|
levelControllerLogLevel |
(Optional)
Level defines the logging level. |
(Appears on: PolicySource)
N1CBundleSource configures bundle fetching from F5 NGINX One Console (N1C). Exactly one of policyName or policyObjectID must be set.
| Field | Description |
|---|---|
policyNamestring |
(Optional)
PolicyName is the name of the security policy in N1C. Mutually exclusive with policyObjectID. |
policyObjectIDstring |
(Optional)
PolicyObjectID is the unique object identifier of the security policy in N1C (e.g. “pol_-IUuEUN7ST63oRC7AlQPLw”). Mutually exclusive with policyName. |
policyVersionIDstring |
(Optional)
PolicyVersionID pins a specific version of the policy bundle using its opaque version ID (e.g. “pv_UJ2gL5fOQ3Gnb3OVuVo1XA”). When omitted, the latest available version is used. |
urlstring |
URL is the base URL of the F5 NGINX One Console instance,
e.g. “https:// |
namespacestring |
Namespace is the NGINX One Console namespace that owns the security policy. |
(Appears on: LogSource)
N1CLogProfileBundleSource configures log profile bundle fetching from F5 NGINX One Console (N1C). Exactly one of profileName or profileObjectID must be set.
| Field | Description |
|---|---|
profileNamestring |
ProfileName is the name of the log profile in N1C that corresponds to the log profile bundle. |
profileObjectIDstring |
ProfileObjectID is the unique object identifier of the log profile in N1C (e.g. “lp_8s8uZxLpThWwEGF7LTn_rA”) that corresponds to the log profile bundle. |
urlstring |
URL is the base URL of the F5 NGINX One Console instance,
e.g. “https:// |
namespacestring |
Namespace is the NGINX One Console namespace that owns the log profile. |
(Appears on: PolicySource)
NIMBundleSource configures bundle fetching from NGINX Instance Manager (NIM). Exactly one of policyName or policyUID must be set.
| Field | Description |
|---|---|
policyNamestring |
(Optional)
PolicyName is the name of the compiled policy bundle in NIM. Mutually exclusive with policyUID. |
policyUIDstring |
(Optional)
PolicyUID is the unique identifier of the compiled policy bundle in NIM. Mutually exclusive with policyName. Must be a valid UUID (e.g. “2bc1e3ac-7990-4ca4-910a-8634c444c804”). |
urlstring |
URL is the base URL of the NGINX Instance Manager instance, e.g. “https://nim.example.com”. |
(Appears on: LogSource)
NIMLogProfileBundleSource configures log profile bundle fetching from NGINX Instance Manager (NIM).
| Field | Description |
|---|---|
profileNamestring |
ProfileName is the name of the compiled log profile bundle in NIM. |
urlstring |
URL is the base URL of the NGINX Instance Manager instance, e.g. “https://nim.example.com”. |
string alias)¶
(Appears on: Snippet)
NginxContext represents the NGINX configuration context.
| Value | Description |
|---|---|
"http" |
NginxContextHTTP is the http context of the NGINX configuration. https://nginx.org/en/docs/http/ngx_http_core_module.html#http |
"http.server" |
NginxContextHTTPServer is the server context of the NGINX configuration. https://nginx.org/en/docs/http/ngx_http_core_module.html#server |
"http.server.location" |
NginxContextHTTPServerLocation is the location context of the NGINX configuration. https://nginx.org/en/docs/http/ngx_http_core_module.html#location |
"main" |
NginxContextMain is the main context of the NGINX configuration. |
string alias)¶
NginxGatewayConditionReason defines the set of reasons that explain why a particular NginxGateway condition type has been raised.
| Value | Description |
|---|---|
"Invalid" |
NginxGatewayReasonInvalid is a reason that is used with the “Valid” condition when the condition is False. |
"Valid" |
NginxGatewayReasonValid is a reason that is used with the “Valid” condition when the condition is True. |
string alias)¶
NginxGatewayConditionType is a type of condition associated with an NginxGateway. This type should be used with the NginxGatewayStatus.Conditions field.
| Value | Description |
|---|---|
"Valid" |
NginxGatewayConditionValid is a condition that is true when the NginxGateway configuration is syntactically and semantically valid. |
(Appears on: NginxGateway)
NginxGatewaySpec defines the desired state of the NginxGateway.
| Field | Description |
|---|---|
loggingLogging |
(Optional)
Logging defines logging related settings for the control plane. |
(Appears on: NginxGateway)
NginxGatewayStatus defines the state of the NginxGateway.
| Field | Description |
|---|---|
conditions[]Kubernetes meta/v1.Condition |
(Optional) |
(Appears on: AuthenticationFilterSpec)
OIDCAuth configures OpenID Connect Authentication. Only available for NGINX Plus users.
| Field | Description |
|---|---|
crlSecretRefLocalObjectReference |
(Optional)
CRLSecretRef references a Secret containing a certificate revocation list in PEM format. The referenced Secret must contain an entry with the key “ca.crl”. This is used to verify that certificates presented by the OpenID Provider endpoints have not been revoked. |
configURLstring |
(Optional)
ConfigURL sets a custom URL to retrieve the OpenID Provider metadata.
Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#config_url
NGINX Default: |
pkcebool |
(Optional)
PKCE enables Proof Key for Code Exchange (PKCE) for the authentication flow. If nil, NGINX automatically enables PKCE when the OpenID Provider requires it. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#pkce |
extraAuthArgsmap[string]string |
(Optional)
ExtraAuthArgs sets additional query arguments for the authentication request URL. Arguments are appended with “&”. For example: “prompt=consent&audience=api”. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#extra_auth_args |
sessionOIDCSessionConfig |
(Optional)
Session configures session management for OIDC authentication. |
logoutOIDCLogoutConfig |
(Optional)
Logout defines the logout behavior for OIDC authentication. |
redirectURIstring |
(Optional)
RedirectURI sets a custom redirect URI for the OIDC callback.
If a path-only URI is specified, a callback location block is created to handle the redirect from the OIDC provider.
If a full URI is specified, it points to an external callback handler; no location block is created.
If not specified, defaults to /oidccallback |
issuerstring |
Issuer is the URL of the OpenID Provider. Must exactly match the “issuer” value from the provider’s .well-known/openid-configuration endpoint. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#issuer Examples: - Keycloak: “https://keycloak.example.com/realms/my-realm” - Okta: “https://dev-123456.okta.com/oauth2/default” - Auth0: “https://my-tenant.auth0.com/” |
clientIDstring |
ClientID is the client identifier registered with the OpenID Provider. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#client_id |
clientSecretRefLocalObjectReference |
ClientSecretRef references a Kubernetes secret which contains the OIDC client secret to be used in the Authentication Request: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest. The referenced Secret must contain an entry with the key “client-secret”. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#client_secret |
caCertificateRefs[]LocalObjectReference |
(Optional)
CACertificateRefs references a list of secrets containing trusted CA certificates in PEM format used to verify the certificates of the OpenID Provider endpoints. The referenced secrets must contain an entry with the key “ca.crt”. Only one secret can be referenced currently. If not specified, the system CA bundle is used. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#ssl_trusted_certificate NGINX Default: system CA bundle |
(Appears on: OIDCAuth)
OIDCLogoutConfig defines the logout behavior for OIDC authentication.
| Field | Description |
|---|---|
uristring |
(Optional)
URI defines the path for initiating session logout. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#logout_uri Example: /logout |
postLogoutURIstring |
(Optional)
PostLogoutURI defines the URI to redirect to after logout. Must match the configuration on the provider’s side. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#post_logout_uri Example: /after_logout, https://example.com/after_logout |
frontChannelLogoutURIstring |
(Optional)
FrontChannelLogoutURI defines the path for front-channel logout. The OpenID Provider should be configured to set “iss” and “sid” arguments. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#frontchannel_logout_uri Example: /frontchannel_logout |
tokenHintbool |
(Optional)
TokenHint adds the id_token_hint argument to the provider’s Logout Endpoint. Some OpenID Providers require this. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#logout_token_hint NGINX Default: false |
(Appears on: OIDCAuth)
OIDCSessionConfig configures session management for OIDC authentication.
| Field | Description |
|---|---|
cookieNamestring |
(Optional)
CookieName sets the name of the session cookie. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#cookie_name NGINX Default: NGX_OIDC_SESSION |
timeoutDuration |
(Optional)
Timeout sets the session timeout duration. Directive: https://nginx.org/en/docs/http/ngx_http_oidc_module.html#session_timeout NGINX Default: 8h |
(Appears on: WAFPolicySpec)
PolicySource holds all configuration for fetching a WAF policy bundle.
| Field | Description |
|---|---|
httpSourceHTTPBundleSource |
(Optional)
HTTPSource configures direct bundle fetching from an HTTP/HTTPS URL. Required when type is HTTP; must not be set for other types. |
nimSourceNIMBundleSource |
(Optional)
NIMSource configures bundle fetching from NGINX Instance Manager. Required when type is NIM; must not be set for other types. |
n1cSourceN1CBundleSource |
(Optional)
N1CSource configures bundle fetching from F5 NGINX One Console. Required when type is N1C; must not be set for other types. |
authBundleAuth |
(Optional)
Auth configures authentication credentials for fetching the bundle. |
tlsSecretLocalObjectReference |
(Optional)
TLSSecretRef references a Secret containing a custom CA certificate (key: “ca.crt”) for verifying the bundle server’s TLS certificate. |
validationBundleValidation |
(Optional)
Validation configures integrity verification for the downloaded bundle. |
pollingBundlePolling |
(Optional)
Polling configures automatic periodic re-fetching of the bundle. |
timeoutKubernetes meta/v1.Duration |
(Optional)
Timeout is the maximum duration for a single bundle fetch attempt. Defaults to 30s when not set. |
retryAttemptsint32 |
RetryAttempts is the maximum number of additional fetch attempts on transient failures (network errors, HTTP 5xx). Set to 0 to disable retries. Defaults to 3. Non-transient errors (HTTP 4xx, checksum mismatch) are never retried. |
insecureSkipVerifybool |
(Optional)
InsecureSkipVerify disables TLS certificate verification when fetching the bundle. Not recommended for production use. |
string alias)¶
(Appears on: WAFPolicySpec)
PolicySourceType identifies the source type for a WAF bundle.
| Value | Description |
|---|---|
"HTTP" |
PolicySourceTypeHTTP fetches a compiled .tgz bundle directly from an HTTP/HTTPS URL. |
"N1C" |
PolicySourceTypeN1C fetches a compiled bundle from the F5 NGINX One Console security policies API.
Requires managedSource.n1cNamespace in addition to managedSource.policyName.
Authentication uses the APIToken scheme: the “token” key from the referenced Secret is sent as
“Authorization: APIToken |
"NIM" |
PolicySourceTypeNIM fetches a compiled bundle from the NGINX Instance Manager security policies API. |
(Appears on: ProxySettingsPolicySpec)
ProxyBuffering contains the settings for proxy buffering.
| Field | Description |
|---|---|
disablebool |
(Optional)
Disable enables or disables buffering of responses from the proxied server. If Disable is true, buffering is disabled. If Disable is false, or if Disable is not set, buffering is enabled. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering |
bufferSizeSize |
(Optional)
BufferSize sets the size of the buffer used for reading the first part of the response received from the proxied server. This part usually contains a small response header. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size |
buffersProxyBuffers |
(Optional)
Buffers sets the number and size of buffers used for reading a response from the proxied server, for a single connection. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers |
busyBuffersSizeSize |
(Optional)
BusyBuffersSize sets the total size of buffers that can be busy sending a response to the client, while the response is not yet fully read. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_busy_buffers_size |
(Appears on: ProxyBuffering)
ProxyBuffers defines the number and size of the proxy buffers.
| Field | Description |
|---|---|
sizeSize |
Size sets the size of each buffer. |
numberint32 |
Number sets the number of buffers. |
(Appears on: ProxySettingsPolicy)
ProxySettingsPolicySpec defines the desired state of the ProxySettingsPolicy.
| Field | Description |
|---|---|
bufferingProxyBuffering |
(Optional)
Buffering configures the buffering of responses from the proxied server. |
timeoutProxyTimeout |
(Optional)
Timeout configures timeouts for the connection to the proxied server. |
targetRefs[]sigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRefs identifies the API object(s) to apply the policy to. Objects must be in the same namespace as the policy. Support: Gateway, HTTPRoute, GRPCRoute |
(Appears on: ProxySettingsPolicySpec)
ProxyTimeout defines timeout settings for the connection to the proxied server.
| Field | Description |
|---|---|
connectDuration |
(Optional)
Connect sets the timeout for establishing a connection with the proxied server. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout |
readDuration |
(Optional)
Read sets the timeout for reading a response from the proxied server. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout |
sendDuration |
(Optional)
Send sets the timeout for transmitting a request to the proxied server. Directive: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout |
string alias)¶
(Appears on: RateLimitRule)
Rate is a string value representing a rate. Rate can be specified in r/s or r/m.
(Appears on: RateLimitPolicySpec)
RateLimit contains settings for Rate Limiting.
| Field | Description |
|---|---|
localLocalRateLimit |
(Optional)
Local defines the local rate limit rules for this policy. |
dryRunbool |
(Optional)
DryRun enables the dry run mode. In this mode, the rate limit is not actually applied, but the number of excessive requests is accounted as usual in the shared memory zone. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_dry_run |
logLevelRateLimitLogLevel |
(Optional)
LogLevel sets the desired logging level for cases when the server refuses to process requests due to rate exceeding, or delays request processing. Allowed values are info, notice, warn or error. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_log_level |
rejectCodeint32 |
(Optional)
RejectCode sets the status code to return in response to rejected requests. Must fall into the range 400-599. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status |
string alias)¶
(Appears on: RateLimit)
RateLimitLogLevel defines the log level for cases when the server refuses to process requests due to rate exceeding, or delays request processing.
| Value | Description |
|---|---|
"error" |
RateLimitLogLevelError is the error level rate limit logs. |
"info" |
RateLimitLogLevelInfo is the info level rate limit logs. |
"notice" |
RateLimitLogLevelNotice is the notice level rate limit logs. |
"warn" |
RateLimitLogLevelWarn is the warn level rate limit logs. |
(Appears on: RateLimitPolicy)
RateLimitPolicySpec defines the desired state of the RateLimitPolicy.
| Field | Description |
|---|---|
rateLimitRateLimit |
(Optional)
RateLimit defines the Rate Limit settings. |
targetRefs[]sigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRefs identifies API object(s) to apply the policy to. Objects must be in the same namespace as the policy. Support: Gateway, HTTPRoute, GRPCRoute |
(Appears on: LocalRateLimit)
RateLimitRule contains settings for a RateLimit Rule.
| Field | Description |
|---|---|
zoneSizeSize |
(Optional)
ZoneSize is the size of the shared memory zone. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone |
delayint32 |
(Optional)
Delay specifies a limit at which excessive requests become delayed. Default value is zero, which means all excessive requests are delayed. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req |
noDelaybool |
(Optional)
NoDelay disables the delaying of excessive requests while requests are being limited. NoDelay cannot be true when Delay is also set. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req |
burstint32 |
(Optional)
Burst sets the maximum burst size of requests. If the requests rate exceeds the rate configured for a zone, their processing is delayed such that requests are processed at a defined rate. Excessive requests are delayed until their number exceeds the maximum burst size in which case the request is terminated with an error. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req |
rateRate |
Rate represents the rate of requests permitted. The rate is specified in requests per second (r/s) or requests per minute (r/m). Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone |
keystring |
Key represents the key to which the rate limit is applied. The key can contain text, variables, and their combination. Directive: https://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone |
(Appears on: WAFSecurityLog)
SecurityLogDestination defines the destination for security logs.
| Field | Description |
|---|---|
fileSecurityLogFile |
(Optional)
File defines the file destination configuration. Only valid when type is “file”. |
syslogSecurityLogSyslog |
(Optional)
Syslog defines the syslog destination configuration. Only valid when type is “syslog”. |
typeSecurityLogDestinationType |
Type identifies the type of security log destination. |
string alias)¶
(Appears on: SecurityLogDestination)
SecurityLogDestinationType defines the supported security log destination types.
| Value | Description |
|---|---|
"file" |
SecurityLogDestinationTypeFile writes logs to a specified file path. |
"stderr" |
SecurityLogDestinationTypeStderr outputs logs to container stderr. |
"syslog" |
SecurityLogDestinationTypeSyslog sends logs to a syslog server via TCP. |
(Appears on: SecurityLogDestination)
SecurityLogFile defines the file destination configuration for security logs.
| Field | Description |
|---|---|
pathstring |
Path is the file path where security logs will be written. Must be accessible to the waf-enforcer container. |
(Appears on: SecurityLogDestination)
SecurityLogSyslog defines the syslog destination configuration for security logs.
| Field | Description |
|---|---|
serverstring |
Server is the syslog server address in the format “host:port”. |
string alias)¶
(Appears on: ClientBody, ProxyBuffering, ProxyBuffers, RateLimitRule, UpstreamSettingsPolicySpec)
Size is a string value representing a size. Size can be specified in bytes, kilobytes (k), megabytes (m), or gigabytes (g). Examples: 1024, 8k, 1m.
(Appears on: SnippetsFilterSpec, SnippetsPolicySpec)
Snippet represents an NGINX configuration snippet.
| Field | Description |
|---|---|
contextNginxContext |
Context is the NGINX context to insert the snippet into. |
valuestring |
Value is the NGINX configuration snippet. |
string alias)¶
SnippetsFilterConditionReason is a reason for a SnippetsFilter condition type.
| Value | Description |
|---|---|
"Accepted" |
SnippetsFilterConditionReasonAccepted is used with the Accepted condition type when the condition is true. |
"Invalid" |
SnippetsFilterConditionReasonInvalid is used with the Accepted condition type when SnippetsFilter is invalid. |
string alias)¶
SnippetsFilterConditionType is a type of condition associated with SnippetsFilter.
| Value | Description |
|---|---|
"Accepted" |
SnippetsFilterConditionTypeAccepted indicates that the SnippetsFilter is accepted. Possible reasons for this condition to be True:
Possible reasons for this condition to be False:
|
(Appears on: SnippetsFilter)
SnippetsFilterSpec defines the desired state of the SnippetsFilter.
| Field | Description |
|---|---|
snippets[]Snippet |
Snippets is a list of NGINX configuration snippets. There can only be one snippet per context. Allowed contexts: main, http, http.server, http.server.location. |
(Appears on: SnippetsFilter)
SnippetsFilterStatus defines the state of SnippetsFilter.
| Field | Description |
|---|---|
controllers[]ControllerStatus |
Controllers is a list of Gateway API controllers that processed the SnippetsFilter and the status of the SnippetsFilter with respect to each controller. |
(Appears on: SnippetsPolicy)
SnippetsPolicySpec defines the desired state of the SnippetsPolicy.
| Field | Description |
|---|---|
targetRefs[]sigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRefs identifies API object(s) to apply the policy to. |
snippets[]Snippet |
(Optional)
Snippets is a list of snippets to be injected into the NGINX configuration. |
(Appears on: Telemetry, Tracing)
SpanAttribute is a key value pair to be added to a tracing span.
| Field | Description |
|---|---|
keystring |
Key is the key for a span attribute. Format: must have all ‘“’ escaped and must not contain any ‘$’ or end with an unescaped ‘\’ |
valuestring |
Value is the value for a span attribute. Format: must have all ‘“’ escaped and must not contain any ‘$’ or end with an unescaped ‘\’ |
(Appears on: UpstreamSettingsPolicySpec)
UpstreamKeepAlive defines the keep-alive settings for upstreams.
| Field | Description |
|---|---|
connectionsint32 |
(Optional)
Connections sets the maximum number of idle keep-alive connections to upstream servers that are preserved in the cache of each nginx worker process. When this number is exceeded, the least recently used connections are closed. The keepAlive directive for upstreams defaults to 16. To override this value, set the connections field. To disable the keepAlive directive, set connections to 0. Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive |
requestsint32 |
(Optional)
Requests sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed. Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_requests |
timeDuration |
(Optional)
Time defines the maximum time during which requests can be processed through one keep-alive connection. After this time is reached, the connection is closed following the subsequent request processing. Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_time |
timeoutDuration |
(Optional)
Timeout defines the keep-alive timeout for upstreams. Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive_timeout |
(Appears on: UpstreamSettingsPolicy)
UpstreamSettingsPolicySpec defines the desired state of the UpstreamSettingsPolicy.
| Field | Description |
|---|---|
zoneSizeSize |
(Optional)
ZoneSize is the size of the shared memory zone used by the upstream. This memory zone is used to share the upstream configuration between nginx worker processes. The more servers that an upstream has, the larger memory zone is required. Default: OSS: 512k, Plus: 1m. Directive: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone |
keepAliveUpstreamKeepAlive |
(Optional)
KeepAlive defines the keep-alive settings. |
loadBalancingMethodLoadBalancingType |
(Optional)
LoadBalancingMethod specifies the load balancing algorithm to be used for the upstream.
If not specified, NGINX Gateway Fabric defaults to |
hashMethodKeyHashMethodKey |
(Optional)
HashMethodKey defines the key used for hash-based load balancing methods.
This field is required when |
targetRefs[]sigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRefs identifies API object(s) to apply the policy to. Objects must be in the same namespace as the policy. Support: Service TargetRefs must be distinct. The |
(Appears on: WAFPolicy)
WAFPolicySpec defines the desired state of a WAFPolicy.
| Field | Description |
|---|---|
targetRefs[]sigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRefs identifies API object(s) to apply the policy to. Objects must be in the same namespace as the policy. All targets must be of the same Kind (all Gateways OR all HTTPRoutes OR all GRPCRoutes). Support: Gateway, HTTPRoute, GRPCRoute. |
typePolicySourceType |
Type identifies the source type for the policy bundle. HTTP fetches directly from a URL; NIM uses the NGINX Instance Manager bundles API; N1C uses the F5 NGINX One Console security policies API. |
policySourcePolicySource |
PolicySource holds all policy bundle fetch configuration. |
securityLogs[]WAFSecurityLog |
(Optional)
SecurityLogs defines security logging configurations. |
(Appears on: WAFPolicySpec)
WAFSecurityLog defines security logging configuration for app_protect_security_log directives. Exactly one of logSource.defaultProfile, logSource.httpSource, logSource.nimSource, or logSource.n1cSource must be set.
| Field | Description |
|---|---|
logSourceLogSource |
LogSource configures the log profile bundle source for this log entry. Exactly one of url or defaultProfile must be set. |
destinationSecurityLogDestination |
Destination defines where security logs are sent. |
Package v1alpha2 contains API Schema definitions for the gateway.nginx.org API group.
Resource Types:
NginxProxy is a configuration object that can be referenced from a GatewayClass parametersRef or a Gateway infrastructure.parametersRef. It provides a way to configure data plane settings. If referenced from a GatewayClass, the settings apply to all Gateways attached to the GatewayClass. If referenced from a Gateway, the settings apply to that Gateway alone. If both a Gateway and its GatewayClass reference an NginxProxy, the settings are merged. Settings specified on the Gateway NginxProxy override those set on the GatewayClass NginxProxy.
| Field | Description | ||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha2
|
||||||||||||||||||||||||||
kindstring |
NginxProxy |
||||||||||||||||||||||||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||||||||||||
specNginxProxySpec |
Spec defines the desired state of the NginxProxy.
|
ObservabilityPolicy is a Direct Attached Policy. It provides a way to configure observability settings for the NGINX Gateway Fabric data plane. Used in conjunction with the NginxProxy CRD that is attached to the GatewayClass parametersRef.
| Field | Description | ||||
|---|---|---|---|---|---|
apiVersionstring |
gateway.nginx.org/v1alpha2
|
||||
kindstring |
ObservabilityPolicy |
||||
metadataKubernetes meta/v1.ObjectMeta |
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
specObservabilityPolicySpec |
Spec defines the desired state of the ObservabilityPolicy.
|
||||
statussigs.k8s.io/gateway-api/apis/v1.PolicyStatus |
Status defines the state of the ObservabilityPolicy. |
string alias)¶
(Appears on: NginxLogging)
AgentLevel defines the log level of the NGINX agent process.
| Value | Description |
|---|---|
"debug" |
AgentLogLevelDebug is the debug level NGINX agent logs. |
"error" |
AgentLogLevelError is the error level NGINX agent logs. |
"fatal" |
AgentLogLevelFatal is the fatal level NGINX agent logs. |
"info" |
AgentLogLevelInfo is the info level NGINX agent logs. |
"panic" |
AgentLogLevelPanic is the panic level NGINX agent logs. |
(Appears on: DeploymentSpec)
AutoscalingSpec is the configuration for the Horizontal Pod Autoscaling.
| Field | Description |
|---|---|
behaviorKubernetes autoscaling/v2.HorizontalPodAutoscalerBehavior |
(Optional)
Behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used. |
targetCPUUtilizationPercentageint32 |
(Optional)
Target cpu utilization percentage of HPA. |
targetMemoryUtilizationPercentageint32 |
(Optional)
Target memory utilization percentage of HPA. |
minReplicasint32 |
(Optional)
Minimum number of replicas. |
metrics[]Kubernetes autoscaling/v2.MetricSpec |
(Optional)
Metrics configures additional metrics options. |
maxReplicasint32 |
Maximum number of replicas. |
enablebool |
Enable or disable Horizontal Pod Autoscaler. |
(Appears on: DaemonSetSpec, DeploymentSpec)
ContainerSpec defines container fields for the NGINX container.
| Field | Description |
|---|---|
debugbool |
(Optional)
Debug enables debugging for NGINX by using the nginx-debug binary. |
imageImage |
(Optional)
Image is the NGINX image to use. |
resourcesKubernetes core/v1.ResourceRequirements |
(Optional)
Resources describes the compute resource requirements. |
lifecycleKubernetes core/v1.Lifecycle |
(Optional)
Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted. |
readinessProbeReadinessProbeSpec |
(Optional)
ReadinessProbe defines the readiness probe for the NGINX container. |
hostPorts[]HostPort |
(Optional)
HostPorts are the list of ports to expose on the host. |
volumeMounts[]Kubernetes core/v1.VolumeMount |
(Optional)
VolumeMounts describe the mounting of Volumes within a container. |
(Appears on: NginxProxySpec)
DNSResolver specifies the DNS resolver configuration for NGINX. This enables dynamic DNS resolution for ExternalName Services. Corresponds to the NGINX resolver directive: https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
| Field | Description |
|---|---|
timeoutDuration |
(Optional)
Timeout specifies the timeout for name resolution. |
cacheTTLDuration |
(Optional)
CacheTTL specifies how long to cache DNS responses. |
disableIPv6bool |
(Optional)
DisableIPv6 disables IPv6 lookups. If not specified, or set to false, IPv6 lookups will be enabled. |
addresses[]DNSResolverAddress |
Addresses specifies the list of DNS server addresses. Each address can be an IP address or hostname. Example: [{“type”: “IPAddress”, “value”: “8.8.8.8”}, {“type”: “Hostname”, “value”: “dns.google”}] |
(Appears on: DNSResolver)
DNSResolverAddress specifies the address type and value for a DNS resolver address.
| Field | Description |
|---|---|
typeDNSResolverAddressType |
Type specifies the type of address. |
valuestring |
Value specifies the address value. When Type is “IPAddress”, this must be a valid IPv4 or IPv6 address. When Type is “Hostname”, this must be a valid hostname. |
string alias)¶
(Appears on: DNSResolverAddress)
DNSResolverAddressType specifies the type of DNS resolver address.
| Value | Description |
|---|---|
"Hostname" |
DNSResolverHostnameType specifies that the address is a hostname. |
"IPAddress" |
DNSResolverIPAddressType specifies that the address is an IP address. |
(Appears on: KubernetesSpec)
DaemonSet is the configuration for the NGINX DaemonSet.
| Field | Description |
|---|---|
containerContainerSpec |
(Optional)
Container defines container fields for the NGINX container. |
wafContainersWAFContainerSpec |
(Optional)
WAFContainers defines container specifications for NGINX App Protect WAF v5 containers. These containers are only deployed when WAF is enabled in the NginxProxy spec. |
podPodSpec |
(Optional)
Pod defines Pod-specific fields. |
patches[]Patch |
(Optional)
Patches are custom patches to apply to the NGINX DaemonSet. |
(Appears on: KubernetesSpec)
Deployment is the configuration for the NGINX Deployment.
| Field | Description |
|---|---|
replicasint32 |
(Optional)
Number of desired Pods. |
autoscalingAutoscalingSpec |
(Optional)
Autoscaling defines the configuration for Horizontal Pod Autoscaling. |
wafContainersWAFContainerSpec |
(Optional)
WAFContainers defines container specifications for NGINX App Protect WAF v5 containers. These containers are only deployed when WAF is enabled in the NginxProxy spec. |
podPodSpec |
(Optional)
Pod defines Pod-specific fields. |
containerContainerSpec |
(Optional)
Container defines container fields for the NGINX container. |
patches[]Patch |
(Optional)
Patches are custom patches to apply to the NGINX Deployment. |
string alias)¶
(Appears on: Telemetry)
DisableTelemetryFeature is a telemetry feature that can be disabled.
| Value | Description |
|---|---|
"DisableTracing" |
DisableTracing disables the OpenTelemetry tracing feature. |
string alias)¶
(Appears on: ServiceSpec)
ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs).
| Value | Description |
|---|---|
"Cluster" |
ExternalTrafficPolicyCluster routes traffic to all endpoints. |
"Local" |
ExternalTrafficPolicyLocal preserves the source IP of the traffic by routing only to endpoints on the same node as the traffic was received on (dropping the traffic if there are no local endpoints). |
(Appears on: ContainerSpec)
HostPort exposes an nginx container port on the host.
| Field | Description |
|---|---|
portint32 |
Port to expose on the host. |
containerPortint32 |
ContainerPort is the port on the nginx container to map to the HostPort. |
string alias)¶
(Appears on: NginxProxySpec)
IPFamilyType specifies the IP family to be used by NGINX.
| Value | Description |
|---|---|
"dual" |
Dual specifies that NGINX will use both IPv4 and IPv6. |
"ipv4" |
IPv4 specifies that NGINX will use only IPv4. |
"ipv6" |
IPv6 specifies that NGINX will use only IPv6. |
(Appears on: ContainerSpec, WAFContainerConfig)
Image is the NGINX image to use.
| Field | Description |
|---|---|
repositorystring |
(Optional)
Repository is the image path. Default is ghcr.io/nginx/nginx-gateway-fabric/nginx. |
tagstring |
(Optional)
Tag is the image tag to use. Default matches the tag of the control plane. |
pullPolicyPullPolicy |
(Optional)
PullPolicy describes a policy for if/when to pull a container image. |
(Appears on: NginxProxySpec)
KubernetesSpec contains the configuration for the NGINX Deployment and Service Kubernetes objects.
| Field | Description |
|---|---|
deploymentDeploymentSpec |
(Optional)
Deployment is the configuration for the NGINX Deployment. This is the default deployment option. |
daemonSetDaemonSetSpec |
(Optional)
DaemonSet is the configuration for the NGINX DaemonSet. |
serviceServiceSpec |
(Optional)
Service is the configuration for the NGINX Service. |
(Appears on: NginxProxySpec)
Metrics defines the configuration for Prometheus scraping metrics.
| Field | Description |
|---|---|
portint32 |
(Optional)
Port where the Prometheus metrics are exposed. |
disablebool |
(Optional)
Disable serving Prometheus metrics on the listen port. |
(Appears on: NginxLogging)
NginxAccessLog defines the configuration for an NGINX access log.
| Field | Description |
|---|---|
disablebool |
(Optional)
Disable turns off access logging when set to true. |
formatstring |
(Optional)
Format specifies the custom log format string. If not specified, NGINX default ‘combined’ format is used. For now only path /dev/stdout can be used. See https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format |
escapeNginxAccessLogEscapeType |
(Optional)
Escape specifies how to escape characters in variables for access log. Possible values are: default, json, none. If not specified, ‘default’ escaping is used. See https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format |
string alias)¶
(Appears on: NginxAccessLog)
NginxAccessLogEscapeType defines the escape setting for variables in access log format.
| Value | Description |
|---|---|
"default" |
NginxAccessLogEscapeDefault specifies that characters ‘\“’, ‘\’, and other characters with values less than 32 or above 126 are escaped as ‘\xXX’. |
"json" |
NginxAccessLogEscapeJSON specifies that all characters not allowed in JSON strings are escaped. Characters ‘\“’ and ‘\’ are escaped as ‘\”’ and ‘\’, characters with values less than 32 are escaped as ‘\n’, ‘\r’, ‘\t’, ‘\b’, ‘\f’, or ‘\u00XX’. |
"none" |
NginxAccessLogEscapeNone disables escaping of characters. |
string alias)¶
(Appears on: NginxLogging)
NginxErrorLogLevel type defines the log level of error logs for NGINX.
| Value | Description |
|---|---|
"alert" |
NginxLogLevelAlert is the alert level for NGINX error logs. |
"crit" |
NginxLogLevelCrit is the crit level for NGINX error logs. |
"debug" |
NginxLogLevelDebug is the debug level for NGINX error logs. |
"emerg" |
NginxLogLevelEmerg is the emerg level for NGINX error logs. |
"error" |
NginxLogLevelError is the error level for NGINX error logs. |
"info" |
NginxLogLevelInfo is the info level for NGINX error logs. |
"notice" |
NginxLogLevelNotice is the notice level for NGINX error logs. |
"warn" |
NginxLogLevelWarn is the warn level for NGINX error logs. |
(Appears on: NginxProxySpec)
NginxLogging defines logging related settings for NGINX.
| Field | Description |
|---|---|
errorLevelNginxErrorLogLevel |
(Optional)
ErrorLevel defines the error log level. Possible log levels listed in order of increasing severity are debug, info, notice, warn, error, crit, alert, and emerg. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. For example, the log level ‘error’ will cause error, crit, alert, and emerg messages to be logged. https://nginx.org/en/docs/ngx_core_module.html#error_log |
agentLevelAgentLogLevel |
(Optional)
AgentLevel defines the log level of the NGINX agent process. Changing this value results in a re-roll of the NGINX deployment. |
accessLogNginxAccessLog |
(Optional)
AccessLog defines the access log settings, including format itself and disabling option. For now only path /dev/stdout can be used. |
(Appears on: NginxProxySpec)
NginxPlus specifies NGINX Plus additional settings. These will only be applied if NGINX Plus is being used.
| Field | Description |
|---|---|
allowedAddresses[]NginxPlusAllowAddress |
(Optional)
AllowedAddresses specifies IPAddresses or CIDR blocks to the allow list for accessing the NGINX Plus API. |
(Appears on: NginxPlus)
NginxPlusAllowAddress specifies the address type and value for an NginxPlus allow address.
| Field | Description |
|---|---|
typeNginxPlusAllowAddressType |
Type specifies the type of address. |
valuestring |
Value specifies the address value. |
string alias)¶
(Appears on: NginxPlusAllowAddress)
NginxPlusAllowAddressType specifies the type of address.
| Value | Description |
|---|---|
"CIDR" |
NginxPlusAllowCIDRAddressType specifies that the address is a CIDR block. |
"IPAddress" |
NginxPlusAllowIPAddressType specifies that the address is an IP address. |
(Appears on: NginxProxy)
NginxProxySpec defines the desired state of the NginxProxy.
| Field | Description |
|---|---|
ipFamilyIPFamilyType |
(Optional)
IPFamily specifies the IP family to be used by the NGINX. Default is “dual”, meaning the server will use both IPv4 and IPv6. |
telemetryTelemetry |
(Optional)
Telemetry specifies the OpenTelemetry configuration. |
metricsMetrics |
(Optional)
Metrics defines the configuration for Prometheus scraping metrics. Changing this value results in a re-roll of the NGINX deployment. |
rewriteClientIPRewriteClientIP |
(Optional)
RewriteClientIP defines configuration for rewriting the client IP to the original client’s IP. |
loggingNginxLogging |
(Optional)
Logging defines logging related settings for NGINX. |
nginxPlusNginxPlus |
(Optional)
NginxPlus specifies NGINX Plus additional settings. |
disableHTTP2bool |
(Optional)
DisableHTTP2 defines if http2 should be disabled for all servers. If not specified, or set to false, http2 will be enabled for all servers. |
disableSNIHostValidationbool |
(Optional)
DisableSNIHostValidation disables the validation that ensures the SNI hostname matches the Host header in HTTPS requests. When disabled, HTTPS connections can be reused for requests to different hostnames covered by the same certificate. This resolves HTTP/2 connection coalescing issues with wildcard certificates but introduces security risks as described in Gateway API GEP-3567. If not specified, defaults to false (validation enabled). |
kubernetesKubernetesSpec |
(Optional)
Kubernetes contains the configuration for the NGINX Deployment and Service Kubernetes objects. |
workerConnectionsint32 |
(Optional)
WorkerConnections specifies the maximum number of simultaneous connections that can be opened by a worker process. Default is 1024. |
dnsResolverDNSResolver |
(Optional)
DNSResolver specifies the DNS resolver configuration for external name resolution. This enables support for routing to ExternalName Services. |
serverTokensstring |
(Optional)
ServerTokens configures whether NGINX emits its version in the “Server” response header and on error pages. OSS NGINX accepts: - “on”: Shows nginx and version (e.g. “nginx/1.25.0”) - “off”: Shows nginx only (e.g. “nginx”) - “build”: Shows version and build name (e.g. “nginx/1.25.0 (build-name)”) NGINX Plus additionally accepts:
- “”: Suppress the “Server” response header entirely
- See: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens NGINX directive: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens Default is “off”. |
wafWAFSpec |
(Optional)
WAF configures NGINX App Protect WAF functionality. |
(Appears on: ServiceSpec)
NodePort creates a port on each node on which the NGINX data plane service is exposed. The NodePort MUST map to a Gateway listener port, otherwise it will be ignored. If not specified, Kubernetes allocates a NodePort automatically if required. The default NodePort range enforced by Kubernetes is 30000-32767.
| Field | Description |
|---|---|
portint32 |
Port is the NodePort to expose. |
listenerPortint32 |
ListenerPort is the Gateway listener port that this NodePort maps to. |
(Appears on: ObservabilityPolicy)
ObservabilityPolicySpec defines the desired state of the ObservabilityPolicy.
| Field | Description |
|---|---|
tracingTracing |
(Optional)
Tracing allows for enabling and configuring tracing. |
targetRefs[]sigs.k8s.io/gateway-api/apis/v1.LocalPolicyTargetReference |
TargetRefs identifies the API object(s) to apply the policy to. Objects must be in the same namespace as the policy. Support: HTTPRoute, GRPCRoute. TargetRefs must be distinct. This means that the multi-part key defined by |
(Appears on: DaemonSetSpec, DeploymentSpec, ServiceSpec)
Patch defines a patch to apply to a Kubernetes object.
| Field | Description |
|---|---|
typePatchType |
(Optional)
Type is the type of patch. Defaults to StrategicMerge. |
valuek8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1.JSON |
(Optional)
Value is the patch data as raw JSON. For StrategicMerge and Merge patches, this should be a JSON object. For JSONPatch patches, this should be a JSON array of patch operations. |
string alias)¶
(Appears on: Patch)
PatchType specifies the type of patch.
| Value | Description |
|---|---|
"JSONPatch" |
PatchTypeJSONPatch uses JSON patch (RFC 6902). |
"Merge" |
PatchTypeMerge uses merge patch (RFC 7386). |
"StrategicMerge" |
PatchTypeStrategicMerge uses strategic merge patch. |
(Appears on: DaemonSetSpec, DeploymentSpec)
PodSpec defines Pod-specific fields.
| Field | Description |
|---|---|
terminationGracePeriodSecondsint64 |
(Optional)
TerminationGracePeriodSeconds is the optional duration in seconds the pod needs to terminate gracefully. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. |
affinityKubernetes core/v1.Affinity |
(Optional)
Affinity is the pod’s scheduling constraints. |
nodeSelectormap[string]string |
(Optional)
NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node’s labels for the pod to be scheduled on that node. |
tolerations[]Kubernetes core/v1.Toleration |
(Optional)
Tolerations allow the scheduler to schedule Pods with matching taints. |
volumes[]Kubernetes core/v1.Volume |
(Optional)
Volumes represents named volumes in a pod that may be accessed by any container in the pod. |
topologySpreadConstraints[]Kubernetes core/v1.TopologySpreadConstraint |
(Optional)
TopologySpreadConstraints describes how a group of Pods ought to spread across topology domains. Scheduler will schedule Pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed. |
string alias)¶
(Appears on: Image)
PullPolicy describes a policy for if/when to pull a container image.
| Value | Description |
|---|---|
"Always" |
PullAlways means that kubelet always attempts to pull the latest image. Container will fail if the pull fails. |
"IfNotPresent" |
PullIfNotPresent means that kubelet pulls if the image isn’t present on disk. Container will fail if the image isn’t present and the pull fails. |
"Never" |
PullNever means that kubelet never pulls an image, but only uses a local image. Container will fail if the image isn’t present. |
(Appears on: ContainerSpec)
ReadinessProbeSpec defines the configuration for the NGINX readiness probe.
| Field | Description |
|---|---|
portint32 |
(Optional)
Port is the port on which the readiness endpoint is exposed. If not specified, the default port is 8081. |
pathstring |
(Optional)
Path is the path on which the readiness endpoint is exposed. If not specified, the default path is /readyz. Must start with a forward slash and contain only valid URL path characters. |
initialDelaySecondsint32 |
(Optional)
InitialDelaySeconds is the number of seconds after the container has started before the readiness probe is initiated. If not specified, the default is 3 seconds. |
exposebool |
(Optional)
Expose toggles whether the endpoint should be exposed through the Gateway Service object. This allows an external LoadBalancer to perform healthchecks. Default is false. |
(Appears on: NginxProxySpec)
RewriteClientIP specifies the configuration for rewriting the client’s IP address.
| Field | Description |
|---|---|
modeRewriteClientIPModeType |
(Optional)
Mode defines how NGINX will rewrite the client’s IP address. There are two possible modes: - ProxyProtocol: NGINX will rewrite the client’s IP using the PROXY protocol header. - XForwardedFor: NGINX will rewrite the client’s IP using the X-Forwarded-For header. Sets NGINX directive real_ip_header: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header |
setIPRecursivelybool |
(Optional)
SetIPRecursively configures whether recursive search is used when selecting the client’s address from the X-Forwarded-For header. It is used in conjunction with TrustedAddresses. If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of array to start of array and select the first untrusted IP. For example, if X-Forwarded-For is [11.11.11.11, 22.22.22.22, 55.55.55.1], and TrustedAddresses is set to 55.55.55.1⁄32, NGINX will rewrite the client IP to 22.22.22.22. If disabled, NGINX will select the IP at the end of the array. In the previous example, 55.55.55.1 would be selected. Sets NGINX directive real_ip_recursive: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive |
trustedAddresses[]RewriteClientIPAddress |
(Optional)
TrustedAddresses specifies the addresses that are trusted to send correct client IP information. If a request comes from a trusted address, NGINX will rewrite the client IP information, and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers. If the request does not come from a trusted address, NGINX will not rewrite the client IP information. To trust all addresses (not recommended for production), set to 0.0.0.0/0. If no addresses are provided, NGINX will not rewrite the client IP information. Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from This field is required if mode is set. |
(Appears on: RewriteClientIP)
RewriteClientIPAddress specifies the address type and value for a RewriteClientIP address.
| Field | Description |
|---|---|
typeRewriteClientIPAddressType |
Type specifies the type of address. |
valuestring |
Value specifies the address value. |
string alias)¶
(Appears on: RewriteClientIPAddress)
RewriteClientIPAddressType specifies the type of address.
| Value | Description |
|---|---|
"CIDR" |
RewriteClientIPCIDRAddressType specifies that the address is a CIDR block. |
"Hostname" |
RewriteClientIPHostnameAddressType specifies that the address is a Hostname. |
"IPAddress" |
RewriteClientIPIPAddressType specifies that the address is an IP address. |
string alias)¶
(Appears on: RewriteClientIP)
RewriteClientIPModeType defines how NGINX Gateway Fabric will determine the client’s original IP address.
| Value | Description |
|---|---|
"ProxyProtocol" |
RewriteClientIPModeProxyProtocol configures NGINX to accept PROXY protocol and set the client’s IP address to the IP address in the PROXY protocol header. Sets the proxy_protocol parameter on the listen directive of all servers and sets real_ip_header to proxy_protocol: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header. |
"XForwardedFor" |
RewriteClientIPModeXForwardedFor configures NGINX to set the client’s IP address to the IP address in the X-Forwarded-For HTTP header. https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header. |
(Appears on: KubernetesSpec)
ServiceSpec is the configuration for the NGINX Service.
| Field | Description |
|---|---|
typeServiceType |
(Optional)
ServiceType describes ingress method for the Service. |
externalTrafficPolicyExternalTrafficPolicy |
(Optional)
ExternalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service’s “externally-facing” addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). |
loadBalancerIPstring |
(Optional)
LoadBalancerIP is a static IP address for the load balancer. Requires service type to be LoadBalancer. |
loadBalancerClassstring |
(Optional)
LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service type to be LoadBalancer. |
loadBalancerSourceRanges[]string |
(Optional)
LoadBalancerSourceRanges are the IP ranges (CIDR) that are allowed to access the load balancer. Requires service type to be LoadBalancer. |
nodePorts[]NodePort |
(Optional)
NodePorts are the list of NodePorts to expose on the NGINX data plane service. Each NodePort MUST map to a Gateway listener port, otherwise it will be ignored. The default NodePort range enforced by Kubernetes is 30000-32767. |
patches[]Patch |
(Optional)
Patches are custom patches to apply to the NGINX Service. |
string alias)¶
(Appears on: ServiceSpec)
ServiceType describes ingress method for the Service.
| Value | Description |
|---|---|
"ClusterIP" |
ServiceTypeClusterIP means a Service will only be accessible inside the cluster, via the cluster IP. |
"LoadBalancer" |
ServiceTypeLoadBalancer means a Service will be exposed via an external load balancer (if the cloud provider supports it), in addition to ‘NodePort’ type. |
"NodePort" |
ServiceTypeNodePort means a Service will be exposed on one port of every node, in addition to ‘ClusterIP’ type. |
(Appears on: NginxProxySpec)
Telemetry specifies the OpenTelemetry configuration.
| Field | Description |
|---|---|
disabledFeatures[]DisableTelemetryFeature |
(Optional)
DisabledFeatures specifies OpenTelemetry features to be disabled. |
exporterTelemetryExporter |
(Optional)
Exporter specifies OpenTelemetry export parameters. |
serviceNamestring |
(Optional)
ServiceName is the “service.name” attribute of the OpenTelemetry resource.
Default is ‘ngf: |
spanAttributes[]SpanAttribute |
(Optional)
SpanAttributes are custom key/value attributes that are added to each span. |
(Appears on: Telemetry)
TelemetryExporter specifies OpenTelemetry export parameters.
| Field | Description |
|---|---|
intervalDuration |
(Optional)
Interval is the maximum interval between two exports. Default: https://nginx.org/en/docs/ngx_otel_module.html#otel_exporter |
batchSizeint32 |
(Optional)
BatchSize is the maximum number of spans to be sent in one batch per worker. Default: https://nginx.org/en/docs/ngx_otel_module.html#otel_exporter |
batchCountint32 |
(Optional)
BatchCount is the number of pending batches per worker, spans exceeding the limit are dropped. Default: https://nginx.org/en/docs/ngx_otel_module.html#otel_exporter |
endpointstring |
(Optional)
Endpoint is the address of OTLP/gRPC endpoint that will accept telemetry data. Format: alphanumeric hostname with optional http scheme and optional port. |
string alias)¶
(Appears on: Tracing)
TraceContext specifies how to propagate traceparent/tracestate headers.
| Value | Description |
|---|---|
"extract" |
TraceContextExtract uses an existing trace context from the request, so that the identifiers of a trace and the parent span are inherited from the incoming request. |
"ignore" |
TraceContextIgnore skips context headers processing. |
"inject" |
TraceContextInject adds a new context to the request, overwriting existing headers, if any. |
"propagate" |
TraceContextPropagate updates the existing context (combines extract and inject). |
string alias)¶
(Appears on: Tracing)
TraceStrategy defines the tracing strategy.
| Value | Description |
|---|---|
"parent" |
TraceStrategyParent enables tracing and only records spans if the parent span was sampled. |
"ratio" |
TraceStrategyRatio enables ratio-based tracing, defaulting to 100% sampling rate. |
(Appears on: ObservabilityPolicySpec)
Tracing allows for enabling and configuring OpenTelemetry tracing.
| Field | Description |
|---|---|
strategyTraceStrategy |
Strategy defines if tracing is ratio-based or parent-based. |
ratioint32 |
(Optional)
Ratio is the percentage of traffic that should be sampled. Integer from 0 to 100. By default, 100% of http requests are traced. Not applicable for parent-based tracing. If ratio is set to 0, tracing is disabled. |
contextTraceContext |
(Optional)
Context specifies how to propagate traceparent/tracestate headers. Default: https://nginx.org/en/docs/ngx_otel_module.html#otel_trace_context |
spanNamestring |
(Optional)
SpanName defines the name of the Otel span. By default is the name of the location for a request. If specified, applies to all locations that are created for a route. Format: must have all ‘“’ escaped and must not contain any ‘$’ or end with an unescaped ‘\’ Examples of invalid names: some-$value, quoted-“value”-name, unescaped |
spanAttributes[]SpanAttribute |
(Optional)
SpanAttributes are custom key/value attributes that are added to each span. |
(Appears on: WAFContainerSpec)
WAFContainerConfig defines the configuration for a single WAF container.
| Field | Description |
|---|---|
imageImage |
(Optional)
Image is the container image to use for this WAF container. |
resourcesKubernetes core/v1.ResourceRequirements |
(Optional)
Resources describes the compute resource requirements for this WAF container. |
volumeMounts[]Kubernetes core/v1.VolumeMount |
(Optional)
VolumeMounts describe the mounting of Volumes within the WAF container. |
(Appears on: DaemonSetSpec, DeploymentSpec)
WAFContainerSpec defines the container specifications for NGINX App Protect WAF v5. NAP v5 requires two additional containers: waf-enforcer and waf-config-mgr.
| Field | Description |
|---|---|
enforcerWAFContainerConfig |
(Optional)
Enforcer defines the configuration for the WAF enforcer container. This container performs the actual WAF enforcement and policy application. |
configManagerWAFContainerConfig |
(Optional)
ConfigManager defines the configuration for the WAF configuration manager container. This container manages policy configuration and communication with the enforcer. |
(Appears on: NginxProxySpec)
WAFSpec configures NGINX App Protect WAF.
| Field | Description |
|---|---|
enablebool |
(Optional)
Enable enables NGINX App Protect WAF functionality. When enabled, NGINX Gateway Fabric will deploy additional WAF containers (waf-enforcer and waf-config-mgr) alongside the main NGINX container. Default is false. |
disableCookieSeedbool |
(Optional)
DisableCookieSeed disables the app_protect_cookie_seed directive. By default, NGF sets this directive to a stable value derived from the Gateway UID, ensuring WAF session cookies are consistent across multiple NGINX replicas. Set this to true if you have pre-compiled the cookie seed into your WAF policy bundles via the compiler global settings, to avoid conflicting with the compiled-in value. Default is false. |
bundleFailOpenbool |
(Optional)
BundleFailOpen controls the behavior when a WAF policy bundle (policy or log profile) has not yet been successfully fetched. When set to true, NGINX configuration is pushed and traffic is served without WAF protection until the bundle becomes available. When false (the default), the configuration push is withheld until the bundle is fetched, maintaining a fail-closed posture. |
Generated with gen-crd-api-reference-docs