KubeLB Enterprise Edition CRD References

Enterprise Edition

Source: kubelb.k8c.io/v1alpha1

Packages

kubelb.k8c.io/v1alpha1

kubelb.k8c.io/v1alpha1

Package v1alpha1 contains API Schema definitions for the kubelb.k8c.io v1alpha1 API group

Resource Types

Addresses
AddressesList
Config
ConfigList
LoadBalancer
LoadBalancerList
Route
RouteList
SyncSecret
SyncSecretList
Tenant
TenantList
TenantState
TenantStateList
Tunnel
TunnelList
WAFPolicy
WAFPolicyList

Addresses

Addresses is the Schema for the addresses API

Appears in:

AddressesList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`Addresses`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` AddressesSpec
`status` AddressesStatus

AddressesList

AddressesList contains a list of Addresses

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`AddressesList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` Addresses array

AddressesSpec

AddressesSpec defines the desired state of Addresses

Appears in:

Addresses

Field	Description	Default	Validation
`addresses` EndpointAddress array	Addresses contains a list of addresses.		MinItems: 1

AddressesStatus

AddressesStatus defines the observed state of Addresses

Appears in:

Addresses

AnnotatedResource

Underlying type: string

Validation:

Enum: [all service ingress gateway httproute grpcroute tcproute udproute tlsroute]

Appears in:

AnnotationSettings
ConfigSpec
TenantSpec

Field	Description
`all`
`service`
`ingress`
`gateway`
`httproute`
`grpcroute`
`tcproute`
`udproute`
`tlsroute`

AnnotationSettings

Appears in:

ConfigSpec
TenantSpec

Field	Description	Default	Validation
`propagatedAnnotations` map[string]string	PropagatedAnnotations defines the list of annotations(key-value pairs) that will be propagated to the LoadBalancer service. Keep the `value` field empty in the key-value pair to allow any value. Tenant configuration has higher precedence than the annotations specified at the Config level.
`propagateAllAnnotations` boolean	PropagateAllAnnotations defines whether all annotations will be propagated to the LoadBalancer service. If set to true, PropagatedAnnotations will be ignored. Tenant configuration has higher precedence than the value specified at the Config level.
`defaultAnnotations` object (keys:AnnotatedResource, values:Annotations)	DefaultAnnotations defines the list of annotations(key-value pairs) that will be set on the load balancing resources if not already present. A special key `all` can be used to apply the same set of annotations to all resources. Tenant configuration has higher precedence than the annotations specified at the Config level.

Annotations

Underlying type: object

Appears in:

AnnotationSettings
ConfigSpec
TenantSpec

CertificatesSettings

CertificatesSettings defines the settings for the certificates.

Appears in:

TenantSpec

Field	Description	Default	Validation
`disable` boolean	Disable is a flag that can be used to disable certificate automation for a tenant.
`defaultClusterIssuer` string	DefaultClusterIssuer is the Cluster Issuer to use for the certificates by default. This is applied when the cluster issuer is not specified in the annotations on the resource itself.
`allowedDomains` string array	AllowedDomains is a list of allowed domains for automated Certificate management. Has a higher precedence than the value specified in the Config. If empty, the value specified in `tenant.spec.allowedDomains` will be used. Examples: - [".example.com"] -> this allows subdomains at the root level such as example.com and test.example.com but won’t allow domains at one level above like test.test.example.com - [".example.com"] -> this allows all subdomains of example.com such as test.dns.example.com and dns.example.com - [“example.com”] -> this allows only example.com - [""] or [""] -> this allows all domains Note: “*” was added as a special case to allow any levels of subdomains that come before it. “” works for only 1 level.

CircuitBreaker

CircuitBreaker defines the Circuit Breaker configuration for Envoy clusters. Circuit breakers prevent cascading failures by limiting connections/requests to upstream clusters. For more info: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking

Appears in:

ConfigSpec
TenantSpec

Field	Description	Validation
`maxConnections` integer	MaxConnections is the maximum number of connections that Envoy will establish to all endpoints in the cluster. If not specified, the default is 1024.	Maximum: 4.294967295e+09 Minimum: 0
`maxPendingRequests` integer	MaxPendingRequests is the maximum number of pending requests that Envoy will queue to the cluster. If not specified, the default is 1024.	Maximum: 4.294967295e+09 Minimum: 0
`maxParallelRequests` integer	MaxParallelRequests is the maximum number of parallel requests that Envoy will make to the cluster. This is applicable to HTTP/2 and gRPC connections. If not specified, the default is 1024.	Maximum: 4.294967295e+09 Minimum: 0
`maxParallelRetries` integer	MaxParallelRetries is the maximum number of parallel retries that Envoy will make to the cluster. If not specified, the default is 3.	Maximum: 4.294967295e+09 Minimum: 0
`maxRequestsPerConnection` integer	MaxRequestsPerConnection is the maximum number of requests that Envoy will make over a single connection to the cluster. If not specified, there is no limit.	Maximum: 4.294967295e+09 Minimum: 0
`perEndpoint` PerEndpointCircuitBreaker	PerEndpoint configures circuit breaker thresholds that apply to individual endpoints rather than the whole cluster.

Config

Config is the object that represents the Config for the KubeLB management controller.

Appears in:

ConfigList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`Config`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ConfigSpec

ConfigCertificatesSettings

ConfigCertificatesSettings defines the global settings for the certificates.

Appears in:

ConfigSpec

Field	Description	Default	Validation
`disable` boolean	Disable is a flag that can be used to disable certificate automation globally for all the tenants.
`defaultClusterIssuer` string	DefaultClusterIssuer is the Cluster Issuer to use for the certificates by default. This is applied when the cluster issuer is not specified in the annotations on the resource itself.

ConfigDNSSettings

ConfigDNSSettings defines the global settings for DNS management and automation.

Appears in:

ConfigSpec

Field	Description	Default	Validation
`disable` boolean	Disable is a flag that can be used to disable DNS automation globally for all the tenants.
`wildcardDomain` string	WildcardDomain is the domain that will be used as the base domain to create wildcard DNS records for DNS resources. This is only used for determining the hostname for LoadBalancer and Tunnel resources.
`allowExplicitHostnames` boolean	AllowExplicitHostnames is a flag that can be used to allow explicit hostnames to be used for DNS resources. This is only used when LoadBalancer.Spec.Hostname or Tunnel.Spec.Hostname is set.
`useDNSAnnotations` boolean	UseDNSAnnotations is a flag that can be used to add DNS annotations to DNS resources. This is only used when LoadBalancer.Spec.Hostname or Tunnel.Spec.Hostname is set.
`useCertificateAnnotations` boolean	UseCertificateAnnotations is a flag that can be used to add Certificate annotations to Certificate resources. This is only used when LoadBalancer.Spec.Hostname or Tunnel.Spec.Hostname is set.

ConfigList

ConfigList contains a list of Config

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`ConfigList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` Config array

ConfigSpec

ConfigSpec defines the desired state of the Config

Appears in:

Config

Field	Description	Default	Validation
`propagatedAnnotations` map[string]string	PropagatedAnnotations defines the list of annotations(key-value pairs) that will be propagated to the LoadBalancer service. Keep the `value` field empty in the key-value pair to allow any value. Tenant configuration has higher precedence than the annotations specified at the Config level.
`propagateAllAnnotations` boolean	PropagateAllAnnotations defines whether all annotations will be propagated to the LoadBalancer service. If set to true, PropagatedAnnotations will be ignored. Tenant configuration has higher precedence than the value specified at the Config level.
`defaultAnnotations` object (keys:AnnotatedResource, values:Annotations)	DefaultAnnotations defines the list of annotations(key-value pairs) that will be set on the load balancing resources if not already present. A special key `all` can be used to apply the same set of annotations to all resources. Tenant configuration has higher precedence than the annotations specified at the Config level.
`envoyProxy` EnvoyProxy	EnvoyProxy defines the desired state of the Envoy Proxy
`loadBalancer` LoadBalancerSettings
`ingress` IngressSettings
`gatewayAPI` GatewayAPISettings
`dns` ConfigDNSSettings
`certificates` ConfigCertificatesSettings
`tunnel` TunnelSettings
`circuitBreaker` CircuitBreaker	CircuitBreaker defines the default circuit breaker configuration for all Envoy clusters. These settings can be overridden at the Tenant level.
`waf` WAFSettings	WAF defines WAF-related settings.

DNSSettings

DNSSettings defines the tenant specific settings for DNS management and automation.

Appears in:

TenantSpec

Field	Description	Default	Validation
`disable` boolean	Disable is a flag that can be used to disable DNS automation for a tenant.
`allowedDomains` string array	AllowedDomains is a list of allowed domains for automated DNS management. Has a higher precedence than the value specified in the Config. If empty, the value specified in `tenant.spec.allowedDomains` will be used. Examples: - [".example.com"] -> this allows subdomains at the root level such as example.com and test.example.com but won’t allow domains at one level above like test.test.example.com - [".example.com"] -> this allows all subdomains of example.com such as test.dns.example.com and dns.example.com - [“example.com”] -> this allows only example.com - [""] or [""] -> this allows all domains Note: “*” was added as a special case to allow any levels of subdomains that come before it. “” works for only 1 level.
`wildcardDomain` string	WildcardDomain is the domain that will be used as the base domain to create wildcard DNS records for DNS resources. This is only used for determining the hostname for LoadBalancer and Tunnel resources.
`allowExplicitHostnames` boolean	AllowExplicitHostnames is a flag that can be used to allow explicit hostnames to be used for DNS resources. This is only used when LoadBalancer.Spec.Hostname or Tunnel.Spec.Hostname is set.
`useDNSAnnotations` boolean	UseDNSAnnotations is a flag that can be used to add DNS annotations to DNS resources. This is only used when LoadBalancer.Spec.Hostname or Tunnel.Spec.Hostname is set.
`useCertificateAnnotations` boolean	UseCertificateAnnotations is a flag that can be used to add Certificate annotations to Certificate resources. This is only used when LoadBalancer.Spec.Hostname or Tunnel.Spec.Hostname is set.

EndpointAddress

EndpointAddress is a tuple that describes single IP address.

Appears in:

AddressesSpec
LoadBalancerEndpoints

Field	Description	Default	Validation
`ip` string	The IP of this endpoint. May not be loopback (127.0.0.0/8), link-local (169.254.0.0/16), or link-local multicast ((224.0.0.0/24).		MinLength: 7
`hostname` string	The Hostname of this endpoint

EndpointPort

EndpointPort is a tuple that describes a single port.

Appears in:

LoadBalancerEndpoints

Field	Description	Validation
`name` string	The name of this port. This must match the ’name’ field in the corresponding ServicePort. Must be a DNS_LABEL. Optional only if one port is defined.
`port` integer	The port number of the endpoint.
`protocol` Protocol	The IP protocol for this port. Defaults to “TCP”.	Enum: [TCP UDP]

EnvoyProxy

EnvoyProxy defines the desired state of the EnvoyProxy

Appears in:

ConfigSpec

Field	Description	Default	Validation
`topology` EnvoyProxyTopology	Topology defines the deployment topology for Envoy Proxy. Valid values are: shared and global. DEPRECATION NOTICE: The value “dedicated” is deprecated and will be removed in a future release. Dedicated topology will now default to shared topology.	shared	Enum: [shared dedicated global]
`useDaemonset` boolean	UseDaemonset defines whether Envoy Proxy will run as daemonset. By default, Envoy Proxy will run as deployment. If set to true, Replicas will be ignored.
`replicas` integer	Replicas defines the number of replicas for Envoy Proxy. This field is ignored if UseDaemonset is set to true.	3	Minimum: 1
`singlePodPerNode` boolean	SinglePodPerNode defines whether Envoy Proxy pods will be spread across nodes. This ensures that multiple replicas are not running on the same node.
`nodeSelector` object (keys:string, values:string)	NodeSelector is used to select nodes to run Envoy Proxy. If specified, the node must have all the indicated labels.
`tolerations` Toleration array	Tolerations is used to schedule Envoy Proxy pods on nodes with matching taints.
`resources` ResourceRequirements	Resources defines the resource requirements for Envoy Proxy.
`affinity` Affinity	Affinity is used to schedule Envoy Proxy pods on nodes with matching affinity.
`image` string	Image defines the Envoy Proxy image to use.
`gracefulShutdown` EnvoyProxyGracefulShutdown	GracefulShutdown defines the graceful shutdown configuration for Envoy Proxy.
`overloadManager` EnvoyProxyOverloadManager	OverloadManager defines the overload manager configuration for Envoy XDS bootstrap.

EnvoyProxyGracefulShutdown

EnvoyProxyGracefulShutdown defines the graceful shutdown configuration for Envoy Proxy

Appears in:

EnvoyProxy

Field	Description	Default	Validation
`disabled` boolean	Disabled controls whether graceful shutdown is disabled
`drainTimeout` Duration	DrainTimeout is the maximum time to wait for connections to drain. Defaults to 60s. Must be less than TerminationGracePeriodSeconds.	60s
`minDrainDuration` Duration	MinDrainDuration is the minimum time to wait before checking connection count. This prevents premature termination. Defaults to 5s.	5s
`terminationGracePeriodSeconds` integer	TerminationGracePeriodSeconds is the grace period for pod termination. Must be greater than DrainTimeout. Defaults to 300s.	300	Minimum: 30
`shutdownManagerImage` string	ShutdownManagerImage is the Docker image for the shutdown-manager sidecar. Defaults to “docker.io/envoyproxy/gateway:v1.3.0”	docker.io/envoyproxy/gateway:v1.3.0

EnvoyProxyOverloadManager

EnvoyProxyOverloadManager defines the overload manager configuration for Envoy XDS

Appears in:

EnvoyProxy

Field	Description	Default	Validation
`enabled` boolean	Enabled controls whether overload manager is enabled
`maxActiveDownstreamConnections` integer	MaxActiveDownstreamConnections is the maximum number of active downstream connections for the Envoy.
`maxHeapSizeBytes` integer	MaxHeapSizeBytes is the maximum heap size for the Envoy in bytes. On reaching the limit, the Envoy will start to reject new connections.

EnvoyProxyTopology

Underlying type: string

Appears in:

EnvoyProxy

Field	Description
`shared`
`dedicated`
`global`

GatewayAPISettings

GatewayAPISettings defines the settings for the gateway API.

Appears in:

ConfigSpec
TenantSpec

Field	Description	Default	Validation
`class` string	Class is the class of the gateway API to use. This can be used to specify a specific gateway API implementation. This has higher precedence than the value specified in the Config.
`disable` boolean	Disable is a flag that can be used to disable Gateway API for a tenant.
`defaultGateway` ObjectReference	DefaultGateway is the default gateway reference to use for the tenant. This is only used for load balancer hostname and tunneling.
`gateway` GatewaySettings
`disableHTTPRoute` boolean
`disableGRPCRoute` boolean
`disableTCPRoute` boolean
`disableUDPRoute` boolean
`disableTLSRoute` boolean
`disableBackendTrafficPolicy` boolean
`disableClientTrafficPolicy` boolean

GatewayAPIsSettings

Appears in:

GatewayAPISettings

Field	Description	Default	Validation
`disableHTTPRoute` boolean
`disableGRPCRoute` boolean
`disableTCPRoute` boolean
`disableUDPRoute` boolean
`disableTLSRoute` boolean
`disableBackendTrafficPolicy` boolean
`disableClientTrafficPolicy` boolean

GatewaySettings

GatewaySettings defines the settings for the gateway resource.

Appears in:

GatewayAPISettings

Field	Description	Default	Validation
`limit` integer	Limit is the maximum number of gateways to create. If a lower limit is set than the number of reources that exist, the limit will be disallow creation of new resources but will not delete existing resources. The reason behind this is that it is not possible for KubeLB to know which resources are safe to remove.

HostnameStatus

Appears in:

LoadBalancerStatus

Field	Description	Default	Validation
`hostname` string	Hostname contains the hostname of the load-balancer.
`tlsEnabled` boolean	TLSEnabled is true if certificate is created for the hostname.
`dnsRecordCreated` boolean	DNSRecordCreated is true if DNS record is created for the hostname.

IngressSettings

IngressSettings defines the settings for the ingress.

Appears in:

ConfigSpec
TenantSpec

Field	Description	Default	Validation
`class` string	Class is the class of the ingress to use. This has higher precedence than the value specified in the Config.
`disable` boolean	Disable is a flag that can be used to disable Ingress for a tenant.

KubernetesSource

Appears in:

RouteSource

Field	Description	Default	Validation
`resource` Unstructured			EmbeddedResource: {}
`services` UpstreamService array	Services contains the list of services that are used as the source for the Route.

LoadBalancer

LoadBalancer is the Schema for the loadbalancers API

Appears in:

LoadBalancerList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`LoadBalancer`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` LoadBalancerSpec
`status` LoadBalancerStatus

LoadBalancerEndpoints

LoadBalancerEndpoints is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:

{ Addresses: [{“ip”: “10.10.1.1”}, {“ip”: “10.10.2.2”}], Ports: [{“name”: “a”, “port”: 8675}, {“name”: “b”, “port”: 309}] }

The resulting set of endpoints can be viewed as:

a: [ 10.10.1.1:8675, 10.10.2.2:8675 ], b: [ 10.10.1.1:309, 10.10.2.2:309 ]

Appears in:

LoadBalancerSpec
RouteSpec

Field	Description	Validation
`name` string	Name is the name of the endpoints.
`addresses` EndpointAddress array	IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize.	MinItems: 1
`addressesReference` ObjectReference	AddressesReference is a reference to the Addresses object that contains the IP addresses. If this field is set, the Addresses field will be ignored.
`ports` EndpointPort array	Port numbers available on the related IP addresses. This field is ignored for routes that are using kubernetes resources as the source.	MinItems: 1

LoadBalancerList

LoadBalancerList contains a list of LoadBalancer

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`LoadBalancerList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` LoadBalancer array

LoadBalancerPort

LoadBalancerPort contains information on service’s port.

Appears in:

LoadBalancerSpec

Field	Description	Validation
`name` string	The name of this port within the service. This must be a DNS_LABEL. All ports within a Spec must have unique names. When considering the endpoints for a Service, this must match the ’name’ field in the EndpointPort. Optional if only one ServicePort is defined on this service.
`protocol` Protocol	The IP protocol for this port. Defaults to “TCP”.	Enum: [TCP UDP]
`port` integer	The port that will be exposed by the LoadBalancer.

LoadBalancerSettings

LoadBalancerSettings defines the settings for the load balancers.

Appears in:

ConfigSpec
TenantSpec

Field	Description	Default	Validation
`class` string	Class is the class of the load balancer to use. This has higher precedence than the value specified in the Config.
`limit` integer	Limit is the maximum number of load balancers to create. If a lower limit is set than the number of reources that exist, the limit will be disallow creation of new resources but will not delete existing resources. The reason behind this is that it is not possible for KubeLB to know which resources are safe to remove.
`disable` boolean	Disable is a flag that can be used to disable L4 load balancing for a tenant.

LoadBalancerSpec

LoadBalancerSpec defines the desired state of LoadBalancer

Appears in:

LoadBalancer

Field	Description	Default	Validation
`endpoints` LoadBalancerEndpoints array	Sets of addresses and ports that comprise an exposed user service on a cluster.		MinItems: 1
`ports` LoadBalancerPort array	The list of ports that are exposed by the load balancer service. only needed for layer 4
`hostname` string	Hostname is the domain name at which the load balancer service will be accessible. When hostname is set, KubeLB will create a route(ingress or httproute) for the service, and expose it with TLS on the given hostname.
`type` ServiceType	type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. “ExternalName” maps to the specified externalName. “ClusterIP” allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is “None”, no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. “NodePort” builds on ClusterIP and allocates a port on every node which routes to the clusterIP. “LoadBalancer” builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	ClusterIP

LoadBalancerState

Appears in:

TenantStateStatus

Field	Description	Default	Validation
`disable` boolean
`limit` integer

LoadBalancerStatus

LoadBalancerStatus defines the observed state of LoadBalancer

Appears in:

LoadBalancer

Field	Description	Default	Validation
`loadBalancer` LoadBalancerStatus	LoadBalancer contains the current status of the load-balancer, if one is present.
`service` ServiceStatus	Service contains the current status of the LB service.
`hostname` HostnameStatus	Hostname contains the status for hostname resources.

PerEndpointCircuitBreaker

PerEndpointCircuitBreaker defines circuit breaker thresholds that apply to individual endpoints.

Appears in:

CircuitBreaker

Field	Description	Default	Validation
`maxConnections` integer	MaxConnections is the maximum number of connections that Envoy will establish to a single endpoint. If not specified, the default is 1024.		Maximum: 4.294967295e+09 Minimum: 0

ResourceState

Appears in:

RouteResourcesStatus
RouteServiceStatus

Field	Description	Default	Validation
`apiVersion` string	APIVersion is the API version of the resource.
`name` string	Name is the name of the resource.
`namespace` string	Namespace is the namespace of the resource.
`generatedName` string	GeneratedName is the generated name of the resource.
`status` RawExtension	Status is the actual status of the resource.
`conditions` Condition array

Route

Route is the object that represents a route in the cluster.

Appears in:

RouteList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`Route`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` RouteSpec
`status` RouteStatus

RouteList

RouteList contains a list of Routes

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`RouteList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` Route array

RouteResourcesStatus

Appears in:

RouteStatus

Field	Description	Default	Validation
`source` string
`services` object (keys:string, values:RouteServiceStatus)
`route` ResourceState

RouteServiceStatus

Appears in:

RouteResourcesStatus

Field	Description	Default	Validation
`apiVersion` string	APIVersion is the API version of the resource.
`name` string	Name is the name of the resource.
`namespace` string	Namespace is the namespace of the resource.
`generatedName` string	GeneratedName is the generated name of the resource.
`status` RawExtension	Status is the actual status of the resource.
`conditions` Condition array
`ports` ServicePort array

RouteSource

Appears in:

RouteSpec

Field	Description	Default	Validation
`kubernetes` KubernetesSource	Kubernetes contains the information about the Kubernetes source. This field is automatically populated by the KubeLB CCM and in most cases, users should not set this field manually.

RouteSpec

RouteSpec defines the desired state of the Route.

Appears in:

Route

Field	Description	Default	Validation
`endpoints` LoadBalancerEndpoints array	Sets of addresses and ports that comprise an exposed user service on a cluster. This field is required for Routes that represent traffic-forwarding resources (Ingress, Gateway routes). It is optional for policy resources like BackendTrafficPolicy.
`source` RouteSource	Source contains the information about the source of the route. This is used when the route is created from external sources.

RouteStatus

RouteStatus defines the observed state of the Route.

Appears in:

Route

Field	Description	Default	Validation
`resources` RouteResourcesStatus	Resources contains the list of resources that are created/processed as a result of the Route.

ServicePort

ServicePort contains information on service’s port.

Appears in:

ServiceStatus

Field	Description	Default	Validation
`name` string	The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the ’name’ field in the EndpointPort. Optional if only one ServicePort is defined on this service.
`protocol` Protocol	The IP protocol for this port. Supports “TCP”, “UDP”, and “SCTP”. Default is TCP.
`appProtocol` string	The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either: Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names). Kubernetes-defined prefixed names: ‘kubernetes.io/h2c’ - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior- ‘kubernetes.io/ws’ - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455 ‘kubernetes.io/wss’ - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455 Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.
`port` integer	The port that will be exposed by this service.
`targetPort` IntOrString	Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod’s container ports. If this is not specified, the value of the ‘port’ field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the ‘port’ field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
`nodePort` integer	The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
`upstreamTargetPort` integer

ServiceStatus

Appears in:

LoadBalancerStatus

Field	Description	Default	Validation
`ports` ServicePort array

SyncSecret

SyncSecret is a wrapper over Kubernetes Secret object. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.

Appears in:

SyncSecretList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`SyncSecret`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`immutable` boolean
`data` object (keys:string, values:integer array)
`stringData` object (keys:string, values:string)
`type` SecretType

SyncSecretList

SyncSecretList contains a list of SyncSecrets

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`SyncSecretList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` SyncSecret array

Tenant

Tenant is the Schema for the tenants API

Appears in:

TenantList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`Tenant`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` TenantSpec
`status` TenantStatus

TenantList

TenantList contains a list of Tenant

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`TenantList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` Tenant array

TenantSpec

TenantSpec defines the desired state of Tenant

Appears in:

Tenant

Field	Description	Default
`propagatedAnnotations` map[string]string	PropagatedAnnotations defines the list of annotations(key-value pairs) that will be propagated to the LoadBalancer service. Keep the `value` field empty in the key-value pair to allow any value. Tenant configuration has higher precedence than the annotations specified at the Config level.
`propagateAllAnnotations` boolean	PropagateAllAnnotations defines whether all annotations will be propagated to the LoadBalancer service. If set to true, PropagatedAnnotations will be ignored. Tenant configuration has higher precedence than the value specified at the Config level.
`defaultAnnotations` object (keys:AnnotatedResource, values:Annotations)	DefaultAnnotations defines the list of annotations(key-value pairs) that will be set on the load balancing resources if not already present. A special key `all` can be used to apply the same set of annotations to all resources. Tenant configuration has higher precedence than the annotations specified at the Config level.
`loadBalancer` LoadBalancerSettings
`ingress` IngressSettings
`gatewayAPI` GatewayAPISettings
`dns` DNSSettings
`certificates` CertificatesSettings
`tunnel` TenantTunnelSettings
`circuitBreaker` CircuitBreaker	CircuitBreaker defines the circuit breaker configuration for this tenant’s Envoy clusters. Overrides Config-level settings.
`allowedDomains` string array	List of allowed domains for the tenant. This is used to restrict the domains that can be used for the tenant. If specified, applies on all the components such as Ingress, GatewayAPI, DNS, certificates, etc. Examples: - [".example.com"] -> this allows subdomains at the root level such as example.com and test.example.com but won’t allow domains at one level above like test.test.example.com - [".example.com"] -> this allows all subdomains of example.com such as test.dns.example.com and dns.example.com - [“example.com”] -> this allows only example.com - [""] or [""] -> this allows all domains Note: “” was added as a special case to allow any levels of subdomains that come before it. “*” works for only 1 level. Default: value is [""] and all domains are allowed.	[**]

TenantState

TenantState is the Schema for the tenants API

Appears in:

TenantStateList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`TenantState`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` TenantStateSpec
`status` TenantStateStatus

TenantStateList

TenantStateList contains a list of TenantState

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`TenantStateList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` TenantState array

TenantStateSpec

TenantStateSpec defines the desired state of TenantState.

Appears in:

TenantState

TenantStateStatus

TenantStateStatus defines the observed state of TenantState

Appears in:

TenantState

Field	Description	Default	Validation
`version` Version
`lastUpdated` Time
`conditions` Condition array
`tunnel` TunnelState
`loadBalancer` LoadBalancerState
`allowedDomains` string array

TenantStatus

TenantStatus defines the observed state of Tenant

Appears in:

Tenant

TenantTunnelSettings

TenantTunnelSettings defines the settings for the tunnel.

Appears in:

TenantSpec

Field	Description	Default	Validation
`limit` integer	Limit is the maximum number of tunnels to create. If a lower limit is set than the number of reources that exist, the limit will be disallow creation of new resources but will not delete existing resources. The reason behind this is that it is not possible for KubeLB to know which resources are safe to remove.
`disable` boolean	Disable is a flag that can be used to disable tunneling for a tenant.

Tunnel

Tunnel is the Schema for the tunnels API

Appears in:

TunnelList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`Tunnel`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` TunnelSpec
`status` TunnelStatus

TunnelList

TunnelList contains a list of Tunnel

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`TunnelList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` Tunnel array

TunnelPhase

Underlying type: string

TunnelPhase represents the phase of tunnel

Appears in:

TunnelStatus

Field	Description
`Pending`	TunnelPhasePending means the tunnel is being provisioned
`Ready`	TunnelPhaseReady means the tunnel is ready to accept connections
`Failed`	TunnelPhaseFailed means the tunnel provisioning failed
`Terminating`	TunnelPhaseTerminating means the tunnel is being terminated

TunnelResources

TunnelResources contains references to resources created for the tunnel

Appears in:

TunnelStatus

Field	Description	Default	Validation
`serviceName` string	ServiceName is the name of the service created for this tunnel
`routeRef` ObjectReference	RouteRef is a reference to the route (HTTPRoute or Ingress) created for this tunnel

TunnelSettings

TunnelSettings defines the global settings for Tunnel resources.

Appears in:

ConfigSpec

Field	Description	Default	Validation
`limit` integer	Limit is the maximum number of tunnels to create. If a lower limit is set than the number of reources that exist, the limit will be disallow creation of new resources but will not delete existing resources. The reason behind this is that it is not possible for KubeLB to know which resources are safe to remove.
`connectionManagerURL` string	ConnectionManagerURL is the URL of the connection manager service that handles tunnel connections. This is required if tunneling is enabled. For example: “https://con.example.com”
`disable` boolean	Disable indicates whether tunneling feature should be disabled.

TunnelSpec

TunnelSpec defines the desired state of Tunnel

Appears in:

Tunnel

Field	Description	Default	Validation
`hostname` string	Hostname is the hostname of the tunnel. If not specified, the hostname will be generated by KubeLB.

TunnelState

Appears in:

TenantStateStatus

Field	Description	Default	Validation
`disable` boolean
`limit` integer
`connectionManagerURL` string

TunnelStatus

TunnelStatus defines the observed state of Tunnel

Appears in:

Tunnel

Field	Description	Default	Validation
`hostname` string	Hostname contains the actual hostname assigned to the tunnel
`url` string	URL contains the full URL to access the tunnel
`connectionManagerURL` string	ConnectionManagerURL contains the URL that clients should use to establish tunnel connections
`phase` TunnelPhase	Phase represents the current phase of the tunnel
`resources` TunnelResources	Resources contains references to the resources created for this tunnel
`conditions` Condition array	Conditions represents the current conditions of the tunnel

UpstreamService

UpstreamService is a wrapper over the corev1.Service object. This is required as kubebuilder:validation:EmbeddedResource marker adds the x-kubernetes-embedded-resource to the array instead of the elements within it. Which results in a broken CRD; validation error. Without this marker, the embedded resource is not properly serialized to the CRD.

Appears in:

KubernetesSource

Field	Description	Default	Validation
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ServiceSpec	Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
`status` ServiceStatus	Most recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

Version

Appears in:

TenantStateStatus

Field	Description	Default	Validation
`gitVersion` string
`gitCommit` string
`buildDate` string
`edition` string

WAFFailureMode

Underlying type: string

WAFFailureMode defines how routes behave when WAF filter creation fails.

Validation:

Enum: [Open Closed]

Appears in:

WAFPolicySpec

Field	Description
`Open`	WAFFailureModeOpen allows traffic through without WAF protection if filter fails.
`Closed`	WAFFailureModeClosed blocks traffic if WAF filter cannot be applied.

WAFPolicy

WAFPolicy defines Web Application Firewall policy for L7 routes. Applies to HTTPRoute, GRPCRoute, and Ingress resources.

Appears in:

WAFPolicyList

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`WAFPolicy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` WAFPolicySpec
`status` WAFPolicyStatus

WAFPolicyList

WAFPolicyList contains a list of WAFPolicy.

Field	Description	Default	Validation
`apiVersion` string	`kubelb.k8c.io/v1alpha1`
`kind` string	`WAFPolicyList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` WAFPolicy array

WAFPolicySpec

WAFPolicySpec defines the desired state of WAFPolicy. Exactly one targeting method must be used: targetRef, targetSelector, or global. Setting multiple targeting methods is invalid. Policies without any targeting are ignored. Feature stage: Alpha

Appears in:

WAFPolicy

Field	Description	Default	Validation
`global` boolean	Global when set to true applies this policy to all routes for all tenants within a KubeLB installation. Mutually exclusive with TargetRef and TargetSelector. Policies without global, targetRef, or targetSelector are ignored.
`targetRef` WAFTargetRef	TargetRef identifies a specific route by name and optionally namespace. Mutually exclusive with Global and TargetSelector.
`targetSelector` LabelSelector	TargetSelector selects routes or HTTPRoute/GRPCRoute resources by label. It checks whether the route has the labels or the labels of the HTTPRoute/GRPCRoute resource. In case of a conflict, the labels of the Route resource takes precedence. Mutually exclusive with Global and TargetRef.
`directives` string array	Directives contains SecLang/ModSecurity directives passed to Coraza. Reference: https://coraza.io/docs/seclang/directives/ If empty, the following OWASP CRS defaults are applied: - SecRuleEngine On - SecRequestBodyAccess On - SecRequestBodyLimit 13107200 - Include @crs-setup-conf - Include @owasp_crs/*.conf
`failureMode` WAFFailureMode	FailureMode defines behavior when WAF filter creation fails. - Closed: Block traffic if WAF cannot be applied (default) - Open: Allow traffic without WAF protection	Closed	Enum: [Open Closed]

WAFPolicyStatus

WAFPolicyStatus defines the observed state of WAFPolicy.

Appears in:

WAFPolicy

Field	Description	Default	Validation
`conditions` Condition array	Conditions describe the current state of the WAFPolicy.

WAFSettings

WAFSettings defines settings for the WAF (Web Application Firewall).

Appears in:

ConfigSpec

Field	Description	Default	Validation
`wasmInitContainerImage` string	WASMInitContainerImage overrides the image used for the WASM init container. If empty, defaults to the kubelb-manager image detected at runtime.
`skipValidation` boolean	SkipValidation skips directive validation for WAFPolicies. When true, all WAFPolicies are marked as valid without parsing.

WAFTargetRef

WAFTargetRef identifies a route by name.

Appears in:

WAFPolicySpec

Field	Description	Default	Validation
`group` string	Group is the API group of the target resource.	gateway.networking.k8s.io
`namespace` string	Namespace is the management cluster namespace (e.g., tenant-primary). If omitted, matches across all namespaces.
`name` string	Name is the name of the target resource which could either be the name of the resource in management cluster that is generated by KubeLB or the `kubelb.k8c.io/origin-name` that is the original name of the resource in the tenant cluster.		MinLength: 1