VirtualHostOption
Use a VirtualHostOption resource to attach policies to the hosts on one, multiple, or all gateway listeners.
Policy attachment
Learn more about how you can attach policies to gateway listeners.
Option 1: Attach policies to the hosts on all gateway listeners (targetRefs
)
You can use the spec.targetRefs
section in the VirtualHostOption resource to attach policies to the hosts on all gateway listeners.
The following VirtualHostOption resource defines a CSRF policy that is attached to the http
Gateway resource. Because no gateway listener is defined, the policy is attached to all the hosts on all the listeners that are set up on the gateway.
apiVersion: gateway.solo.io/v1
kind: VirtualHostOption
metadata:
name: csrf
namespace: gloo-system
spec:
options:
csrf:
filterEnabled:
defaultValue:
numerator: 100
denominator: HUNDRED
additionalOrigins:
- exact: allowThisOne.solo.io
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: http
namespace: gloo-system
Option 2: Attach the policy to a specific listener (targetRefs.sectionName
)
Instead of applying a policy to all the hosts on all the listeners that are defined on the gateway, you can target a particular listener by using the spec.targetRefs.sectionName
field in the VirtualHostOption resource.
The following Gateway resource defines two listeners, an HTTP (http
) and HTTPS (https
) listener. Each listener defines a set of hostnames.
kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
name: http
spec:
gatewayClassName: gloo-gateway
listeners:
- name: http
protocol: HTTP
port: 8080
allowedRoutes:
namespaces:
from: All
hostname:
- www.example.com
- www.example.org
- www.example.net
- name: https
port: 443
protocol: HTTPS
hostname: https.example.com
tls:
mode: Terminate
certificateRefs:
- name: https
kind: Secret
allowedRoutes:
namespaces:
from: All
To attach the policy to only the hosts on the https
listener, you specify the listener name in the spec.targetRefs.sectionName
field of the VirtualHostOption resource as shown in the following example.
apiVersion: gateway.solo.io/v1
kind: VirtualHostOption
metadata:
name: csrf
namespace: gloo-system
spec:
options:
csrf:
filterEnabled:
defaultValue:
numerator: 100
denominator: HUNDRED
additionalOrigins:
- exact: allowThisOne.solo.io
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: http
namespace: gloo-system
sectionName: https
You can attach a VirtualHostOption resource to only an entire gateway listener. Because of that, the policy is automatically applied to all the hosts that this listener serves. You currently cannot address a particular hostname if multiple hostnames are defined on a listener.
Conflicting policies
If you create multiple VirtualHostOption resources and attach them to the same gateway listener by using the targetRefs
option, only the VirtualOption that was first created is applied.
You cannot attach multiple VirtualHostOption resources to the same listener, even if they define different top-level policies. To add multiple policies, define them in the same VirtualHostOption resource.
In the following image, you want to attach two VirtualHostOption resources to the HTTP listener. One adds a CORS policy and the other adds a CSRF policy. Because only one VirtualHostOption can be attached to a listener via targetRefs
at any given time, only the policy that is created first is enforced (policy 1).