Documentation
About
Policies
BackendConfigPolicy

BackendConfigPolicy

Use a BackendConfigPolicy resource to configure connection settings for a backend.

⚠️
This feature is available in kgateway version 2.1.x or later. This feature is experimental in the upstream Kubernetes Gateway API and subject to change.

Policy attachment

You can apply BackendConfigPolicies to individual backend services, any backend that matches a specific label, or a global service in your ambient mesh.

Individual backend

You can use the spec.targetRefs section in the BackendConfigPolicy resource to apply policies to a specific backend, such as a Kubernetes Service or a Backend resource.

The following example BackendConfigPolicy resource specifies connection settings for the httpbin service.

kind: BackendConfigPolicy
apiVersion: gateway.kgateway.dev/v1alpha1
metadata:
  name: httpbin-policy
  namespace: httpbin
spec:
  targetRefs:
    - name: httpbin
      group: ""
      kind: Service
  connectTimeout: 5s
  perConnectionBufferLimitBytes: 1024

Backends with specific label

Instead of applying the policy to a specific backend, you can also use a label selector to apply the policy to all backends that match the label.

The following example shows a BackendConfigPolicy resource that applies connection settings to all Kubernetes services that have the app: httpbin and service: httpbin labels.

kind: BackendConfigPolicy
apiVersion: gateway.kgateway.dev/v1alpha1
metadata:
  name: httpbin-policy
  namespace: httpbin
spec:
  targetSelectors:
    - group: networking.istio.io
      kind: Service
      matchLabels:
        app: httpbin
        service: httpbin
  connectTimeout: 5s
  commonHttpProtocolOptions:
    maxHeadersCount: 15
    maxRequestsPerConnection: 100
    headersWithUnderscoresAction: DropHeader

Global service

If you use kgateway with an Istio ambient mesh and you exposed services across multiple clusters by using the solo.io/service-scope=global label, Istio automatically creates ServiceEntry resources in each of your clusters that use the same global hostname. You can then use the global hostname to send and load balance requests across multiple clusters.

To apply connection settings to all service instances that are exposed by this global hostname, you can apply a BackendConfigPolicy to an Istio hostname as shown in the following example.

kind: BackendConfigPolicy
apiVersion: gateway.kgateway.dev/v1alpha1
metadata:
  name: httpbin-policy-alias
  namespace: gwtest
spec:
  targetSelectors:
    - group: networking.istio.io
      kind: Hostname
      matchLabels:
        app: httpbin
        service: httpbin
  connectTimeout: 5s
  commonHttpProtocolOptions:
    maxHeadersCount: 15
    maxRequestsPerConnection: 100
    headersWithUnderscoresAction: DropHeader
TrafficPolicy