--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.19.0 operatorframework.io/installed-alongside-4bd893de2d7a381: kuadrant-system/rhcl-operator.v1.3.1 creationTimestamp: "2026-03-18T16:54:24Z" generation: 1 labels: app: kuadrant gateway.networking.k8s.io/policy: inherited olm.managed: "true" operators.coreos.com/rhcl-operator.kuadrant-system: "" managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:operatorframework.io/installed-alongside-4bd893de2d7a381: {} f:labels: .: {} f:app: {} f:gateway.networking.k8s.io/policy: {} f:olm.managed: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-03-18T16:54:24Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-03-18T16:54:25Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/rhcl-operator.kuadrant-system: {} manager: olm operation: Update time: "2026-03-18T16:55:03Z" name: tokenratelimitpolicies.kuadrant.io resourceVersion: "16865" uid: 391c2128-8fed-4e00-8cc1-bf9c2ddc7b56 spec: conversion: strategy: None group: kuadrant.io names: kind: TokenRateLimitPolicy listKind: TokenRateLimitPolicyList plural: tokenratelimitpolicies singular: tokenratelimitpolicy scope: Namespaced versions: - additionalPrinterColumns: - description: TokenRateLimitPolicy Accepted jsonPath: .status.conditions[?(@.type=="Accepted")].status name: Accepted priority: 2 type: string - description: TokenRateLimitPolicy Enforced jsonPath: .status.conditions[?(@.type=="Enforced")].status name: Enforced priority: 2 type: string - description: Kind of the object to which the policy applies jsonPath: .spec.targetRef.kind name: TargetKind priority: 2 type: string - description: Name of the object to which the policy applies jsonPath: .spec.targetRef.name name: TargetName priority: 2 type: string - description: 'Name of the section within the object to which the policy applies ' jsonPath: .spec.targetRef.sectionName name: TargetSection priority: 2 type: string - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: TokenRateLimitPolicy enables token-based rate limiting for service workloads in a Gateway API network properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: defaults: description: |- Rules to apply as defaults. Can be overridden by more specific policy rules lower in the hierarchy and by less specific policy overrides. Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). properties: limits: additionalProperties: description: TokenLimit represents a complete token-based rate limit configuration properties: counters: description: Counters defines additional rate limit counters based on CEL expressions which can reference well known selectors items: properties: expression: description: |- Expression defines one CEL expression Expression can use well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL minLength: 1 type: string required: - expression type: object type: array rates: description: Rates holds the list of limit rates for token-based limiting items: description: Rate defines the actual rate limit that will be used when there is a match properties: limit: description: Limit defines the max value allowed for a given period of time type: integer window: description: Window defines the time period for which the Limit specified above applies. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - limit - window type: object type: array when: description: |- When holds a list of "limit-level" `Predicate`s for token-based conditions Called also "soft" conditions as route selectors must also match items: description: Predicate defines one CEL expression that must be evaluated to bool properties: predicate: minLength: 1 type: string required: - predicate type: object type: array type: object description: Limits holds the struct of token-based limits indexed by a unique name type: object strategy: default: atomic description: Strategy defines the merge strategy to apply when merging this policy with other policies. enum: - atomic - merge type: string when: description: |- Overall conditions for the policy to be enforced. If omitted, the policy will be enforced at all requests to the protected routes. If present, all conditions must match for the policy to be enforced. items: description: Predicate defines one CEL expression that must be evaluated to bool properties: predicate: minLength: 1 type: string required: - predicate type: object type: array type: object limits: additionalProperties: description: TokenLimit represents a complete token-based rate limit configuration properties: counters: description: Counters defines additional rate limit counters based on CEL expressions which can reference well known selectors items: properties: expression: description: |- Expression defines one CEL expression Expression can use well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL minLength: 1 type: string required: - expression type: object type: array rates: description: Rates holds the list of limit rates for token-based limiting items: description: Rate defines the actual rate limit that will be used when there is a match properties: limit: description: Limit defines the max value allowed for a given period of time type: integer window: description: Window defines the time period for which the Limit specified above applies. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - limit - window type: object type: array when: description: |- When holds a list of "limit-level" `Predicate`s for token-based conditions Called also "soft" conditions as route selectors must also match items: description: Predicate defines one CEL expression that must be evaluated to bool properties: predicate: minLength: 1 type: string required: - predicate type: object type: array type: object description: Limits holds the struct of token-based limits indexed by a unique name type: object overrides: description: |- Rules to apply as overrides. Override all policy rules lower in the hierarchy. Can be overridden by less specific policy overrides. Use one of: defaults, overrides, or bare set of policy rules (implicit defaults). properties: limits: additionalProperties: description: TokenLimit represents a complete token-based rate limit configuration properties: counters: description: Counters defines additional rate limit counters based on CEL expressions which can reference well known selectors items: properties: expression: description: |- Expression defines one CEL expression Expression can use well known attributes Attributes: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes Well-known selectors: https://github.com/Kuadrant/architecture/blob/main/rfcs/0001-rlp-v2.md#well-known-selectors They are named by a dot-separated path (e.g. request.path) Example: "request.path" -> The path portion of the URL minLength: 1 type: string required: - expression type: object type: array rates: description: Rates holds the list of limit rates for token-based limiting items: description: Rate defines the actual rate limit that will be used when there is a match properties: limit: description: Limit defines the max value allowed for a given period of time type: integer window: description: Window defines the time period for which the Limit specified above applies. pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ type: string required: - limit - window type: object type: array when: description: |- When holds a list of "limit-level" `Predicate`s for token-based conditions Called also "soft" conditions as route selectors must also match items: description: Predicate defines one CEL expression that must be evaluated to bool properties: predicate: minLength: 1 type: string required: - predicate type: object type: array type: object description: Limits holds the struct of token-based limits indexed by a unique name type: object strategy: default: atomic description: Strategy defines the merge strategy to apply when merging this policy with other policies. enum: - atomic - merge type: string when: description: |- Overall conditions for the policy to be enforced. If omitted, the policy will be enforced at all requests to the protected routes. If present, all conditions must match for the policy to be enforced. items: description: Predicate defines one CEL expression that must be evaluated to bool properties: predicate: minLength: 1 type: string required: - predicate type: object type: array type: object targetRef: description: Reference to the object to which this policy applies. properties: group: description: Group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: Kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: Name is the name of the target resource. maxLength: 253 minLength: 1 type: string sectionName: description: |- SectionName is the name of a section within the target resource. When unspecified, this targetRef targets the entire resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name * HTTPRoute: HTTPRouteRule name * Service: Port name If a SectionName is specified, but does not exist on the targeted object, the Policy must fail to attach, and the policy implementation should record a `ResolvedRefs` or similar Condition in the Policy's status. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - group - kind - name type: object x-kubernetes-validations: - message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io' rule: self.group == 'gateway.networking.k8s.io' - message: Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway' rule: self.kind == 'HTTPRoute' || self.kind == 'Gateway' when: description: |- Overall conditions for the policy to be enforced. If omitted, the policy will be enforced at all requests to the protected routes. If present, all conditions must match for the policy to be enforced. items: description: Predicate defines one CEL expression that must be evaluated to bool properties: predicate: minLength: 1 type: string required: - predicate type: object type: array required: - targetRef type: object x-kubernetes-validations: - message: Implicit and explicit defaults are mutually exclusive rule: '!(has(self.defaults) && has(self.limits))' - message: Overrides and explicit defaults are mutually exclusive rule: '!(has(self.defaults) && has(self.overrides))' - message: Overrides and implicit defaults are mutually exclusive rule: '!(has(self.overrides) && has(self.limits))' - message: At least one spec.limits must be defined rule: '!(has(self.overrides) || has(self.defaults)) ? has(self.limits) && size(self.limits) > 0 : true' - message: At least one spec.overrides.limits must be defined rule: 'has(self.overrides) ? has(self.overrides.limits) && size(self.overrides.limits) > 0 : true' - message: At least one spec.defaults.limits must be defined rule: 'has(self.defaults) ? has(self.defaults.limits) && size(self.defaults.limits) > 0 : true' status: properties: conditions: description: |- Represents the observations of a foo's current state. Known .status.conditions.type are: "Available" items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map observedGeneration: description: ObservedGeneration reflects the generation of the most recently observed spec. format: int64 type: integer type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: TokenRateLimitPolicy listKind: TokenRateLimitPolicyList plural: tokenratelimitpolicies singular: tokenratelimitpolicy conditions: - lastTransitionTime: "2026-03-18T16:54:24Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-03-18T16:54:25Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1