--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 operatorframework.io/installed-alongside-4bd893de2d7a381: kuadrant-system/rhcl-operator.v1.3.1 creationTimestamp: "2026-03-18T16:54:24Z" generation: 1 labels: app: kuadrant gateway.networking.k8s.io/policy: direct olm.managed: "true" operators.coreos.com/rhcl-operator.kuadrant-system: "" managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:operatorframework.io/installed-alongside-4bd893de2d7a381: {} f:labels: .: {} f:app: {} f:gateway.networking.k8s.io/policy: {} f:olm.managed: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-03-18T16:54:24Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-03-18T16:54:25Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/rhcl-operator.kuadrant-system: {} manager: olm operation: Update time: "2026-03-18T16:55:01Z" name: dnspolicies.kuadrant.io resourceVersion: "16833" uid: 5b27768d-72cc-47fe-8fd6-c0cd892357dc spec: conversion: strategy: None group: kuadrant.io names: kind: DNSPolicy listKind: DNSPolicyList plural: dnspolicies singular: dnspolicy scope: Namespaced versions: - additionalPrinterColumns: - description: DNSPolicy Accepted jsonPath: .status.conditions[?(@.type=="Accepted")].status name: Accepted priority: 2 type: string - description: DNSPolicy Enforced jsonPath: .status.conditions[?(@.type=="Enforced")].status name: Enforced priority: 2 type: string - description: DNSPolicy SubResourcesHealthy jsonPath: .status.conditions[?(@.type=="SubResourcesHealthy")].status name: SubResourcesHealthy priority: 2 type: string - description: Type of the referenced Gateway API resource jsonPath: .spec.targetRef.kind name: TargetRefKind priority: 2 type: string - description: Name of the referenced Gateway API resource jsonPath: .spec.targetRef.name name: TargetRefName priority: 2 type: string - description: 'Name of the Listener section within the Gateway to which the policy applies ' jsonPath: .spec.targetRef.sectionName name: TargetSection priority: 2 type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: DNSPolicy is the Schema for the dnspolicies API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: DNSPolicySpec defines the desired state of DNSPolicy properties: delegate: type: boolean x-kubernetes-validations: - message: delegate is immutable rule: self == oldSelf excludeAddresses: description: ExcludeAddresses is a list of addresses (either hostnames, CIDR or IPAddresses) that DNSPolicy should not use as values in the configured DNS provider records. The default is to allow all addresses configured in the Gateway DNSPolicy is targeting items: type: string maxItems: 20 type: array healthCheck: description: |- HealthCheckSpec configures health checks in the DNS provider. By default this health check will be applied to each unique DNS A Record for the listeners assigned to the target gateway properties: additionalHeadersRef: description: |- AdditionalHeadersRef refers to a secret that contains extra headers to send in the probe request, this is primarily useful if an authentication token is required by the endpoint. properties: name: type: string required: - name type: object failureThreshold: default: 5 description: |- FailureThreshold is the number of consecutive failures that must be exceeded for a host to be considered unhealthy. When the number of consecutive failures exceeds this threshold, the health check will be marked as unhealthy. Defaults to 5 type: integer x-kubernetes-validations: - message: Failure threshold must be greater than 0 rule: self > 0 interval: default: 5m description: |- Interval defines how frequently this probe should execute Defaults to 5 minutes type: string path: description: |- Path is the path to append to the host to reach the expected health check. Must start with "?" or "/", contain only valid URL characters and end with alphanumeric char or "/". For example "/" or "/healthz" are common pattern: ^(?:\?|\/)[\w\-.~:\/?#\[\]@!$&'()*+,;=]+(?:[a-zA-Z0-9]|\/){1}$ type: string port: default: 443 description: |- Port to connect to the host on. Must be either 80, 443 or 1024-49151 Defaults to port 443 type: integer x-kubernetes-validations: - message: Only ports 80, 443, 1024-49151 are allowed rule: self in [80, 443] || (self >= 1024 && self <= 49151) protocol: default: HTTPS description: |- Protocol to use when connecting to the host, valid values are "HTTP" or "HTTPS" Defaults to HTTPS type: string x-kubernetes-validations: - message: Only HTTP or HTTPS protocols are allowed rule: self in ['HTTP','HTTPS'] type: object loadBalancing: properties: defaultGeo: description: defaultGeo specifies if this is the default geo for providers that support setting a default catch all geo endpoint such as Route53. type: boolean geo: description: |- geo value to apply to geo endpoints. The values accepted are determined by the target dns provider, please refer to the appropriate docs below. Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-geo.html Google: https://cloud.google.com/compute/docs/regions-zones Azure: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-geographic-regions minLength: 2 type: string weight: default: 120 description: |- weight value to apply to weighted endpoints. The maximum value accepted is determined by the target dns provider, please refer to the appropriate docs below. Route53: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy-weighted.html Google: https://cloud.google.com/dns/docs/overview/ Azure: https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-routing-methods#weighted-traffic-routing-method type: integer required: - defaultGeo - geo - weight type: object providerRefs: description: providerRefs is a list of references to provider secrets. Max is one but intention is to allow this to be more in the future items: properties: name: type: string required: - name type: object maxItems: 1 type: array targetRef: description: targetRef identifies an API object to apply policy to. properties: group: description: Group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: Kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: Name is the name of the target resource. maxLength: 253 minLength: 1 type: string sectionName: description: |- SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - group - kind - name type: object x-kubernetes-validations: - message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io' rule: self.group == 'gateway.networking.k8s.io' - message: Invalid targetRef.kind. The only supported values are 'Gateway' rule: self.kind == 'Gateway' required: - targetRef type: object x-kubernetes-validations: - message: delegate can't be set to true if unset rule: has(oldSelf.delegate) || !has(self.delegate) || self.delegate == false - message: delegate can't be unset if true rule: '!has(oldSelf.delegate) || oldSelf.delegate == false || has(self.delegate)' - message: delegate=true and providerRefs are mutually exclusive rule: '!(has(self.providerRefs) && has(self.delegate) && self.delegate == true)' status: description: DNSPolicyStatus defines the observed state of DNSPolicy properties: conditions: description: |- conditions are any conditions associated with the policy If configuring the policy fails, the "Failed" condition will be set with a reason and message describing the cause of the failure. items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array healthCheck: properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array probes: items: properties: conditions: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array host: type: string id: type: string ipAddress: type: string synced: type: boolean required: - host - id - ipAddress type: object type: array type: object observedGeneration: description: |- observedGeneration is the most recently observed generation of the DNSPolicy. When the DNSPolicy is updated, the controller updates the corresponding configuration. If an update fails, that failure is recorded in the status condition format: int64 type: integer recordConditions: additionalProperties: items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array type: object totalRecords: description: TotalRecords records the total number of individual DNSRecords managed by this DNSPolicy format: int32 type: integer type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: DNSPolicy listKind: DNSPolicyList plural: dnspolicies singular: dnspolicy conditions: - lastTransitionTime: "2026-03-18T16:54:24Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-03-18T16:54:25Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1