API Rule

The apirule.gateway.kyma-project.io CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format the API Gateway Controller listens for. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy
kubectl get crd apirules.gateway.kyma-project.io -o yaml

Sample custom resource

This is a sample custom resource (CR) that the API Gateway Controller listens for to expose a service. This example has the rules section specified which makes the API Gateway Controller create an Oathkeeper Access Rule for the service.

  • v1beta1
  • v1alpha1

This table lists all the possible parameters of a given resource together with their descriptions:

FieldMandatoryDescription
metadata.nameYESSpecifies the name of the exposed API.
spec.gatewayYESSpecifies the Istio Gateway.
spec.hostYESSpecifies the service's communication address for inbound external traffic. If only the leftmost label is provided, the default domain name will be used.
spec.service.nameNOSpecifies the name of the exposed service.
spec.service.namespaceNOSpecifies the Namespace of the exposed service.
spec.service.portNOSpecifies the communication port of the exposed service.
spec.rulesYESSpecifies the array of Oathkeeper access rules.
spec.rules.serviceNOServices definitions at this level have higher precedence than the service definition at the spec.service level.
spec.rules.service.nameNOSpecifies the name of the exposed service.
spec.rules.service.namespaceNOSpecifies the Namespace of the exposed service.
spec.rules.service.portNOSpecifies the communication port of the exposed service.
spec.rules.pathYESSpecifies the path of the exposed service.
spec.rules.methodsNOSpecifies the list of HTTP request methods available for spec.rules.path.
spec.rules.mutatorsNOSpecifies the array of Oathkeeper mutators.
spec.rules.accessStrategiesYESSpecifies the array of Oathkeeper authenticators. The supported authenticators are oauth2_introspection, jwt, noop, allow.

CAUTION: If service is not defined at spec.service level, all defined rules must have service defined at spec.rules.service level, otherwise the validation fails.

Additional information

When you fetch an existing APIRule CR, the system adds the status section which describes the status of the VirtualService and the Oathkeeper Access Rule created for this CR. This table lists the fields of the status section.

FieldDescription
status.apiRuleStatusStatus code describing the APIRule CR.
status.virtualServiceStatus.codeStatus code describing the VirtualService.
status.virtualService.descCurrent state of the VirtualService.
status.accessRuleStatus.codeStatus code describing the Oathkeeper Rule.
status.accessRuleStatus.descCurrent state of the Oathkeeper Rule.

Status codes

These are the status codes used to describe the VirtualServices and Oathkeeper Access Rules:

CodeDescription
OKResource created.
SKIPPEDSkipped creating a resource.
ERRORResource not created.