Configuration reference
The agentgateway schema is available as a JSON schema. Review this page for more information about the schema and how to use it.
Config file validation
Many integrated development environments (IDEs) and editors support schema validation for your standalone agentgateway configuration file.
Default schema validation off main
The examples throughout the docs use the following schema that redirects to the agentgateway config on main.
# yaml-language-server: $schema=https://agentgateway.dev/schema/configVersion-specific schema validation
Replace $VERSION in the following schema with the version of agentgateway that you are using, such as 0.12.0.
# yaml-language-server: $schema=https://raw.githubusercontent.com/agentgateway/agentgateway/refs/tags/$VERSION/schema/config.jsonFor example:
# yaml-language-server: $schema=https://raw.githubusercontent.com/agentgateway/agentgateway/refs/tags/v0.12.0/schema/config.jsonSchema
The following table shows the complete agentgateway configuration file schema, with columns for the field and description.
| Field | Description |
|---|---|
config | |
config.enableIpv6 | |
config.localXdsPath | Local XDS path. If not specified, the current configuration file will be used. |
config.caAddress | |
config.caAuthToken | |
config.xdsAddress | |
config.xdsAuthToken | |
config.namespace | |
config.gateway | |
config.trustDomain | |
config.serviceAccount | |
config.clusterId | |
config.network | |
config.adminAddr | Admin UI address in the format “ip:port” |
config.statsAddr | Stats/metrics server address in the format “ip:port” |
config.readinessAddr | Readiness probe server address in the format “ip:port” |
config.session | Configuration for stateful session management |
config.session.key | The signing key to be used. If not set, sessions will not be encrypted. For example, generated via openssl rand -hex 32. |
config.connectionTerminationDeadline | |
config.connectionMinTerminationDeadline | |
config.workerThreads | |
config.tracing | |
config.tracing.otlpEndpoint | |
config.tracing.headers | |
config.tracing.otlpProtocol | |
config.tracing.fields | |
config.tracing.fields.remove | |
config.tracing.fields.add | |
config.tracing.randomSampling | Expression to determine the amount of random sampling. Random sampling will initiate a new trace span if the incoming request does not have a trace already. This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false. This defaults to ‘false’. |
config.tracing.clientSampling | Expression to determine the amount of client sampling. Client sampling determines whether to initiate a new trace span if the incoming request does have a trace already. This should evaluate to either a float between 0.0-1.0 (0-100%) or true/false. This defaults to ’true'. |
config.tracing.path | OTLP path. Default is /v1/traces |
config.logging | |
config.logging.filter | |
config.logging.fields | |
config.logging.fields.remove | |
config.logging.fields.add | |
config.logging.level | |
config.logging.format | |
config.metrics | |
config.metrics.remove | |
config.metrics.fields | |
config.metrics.fields.add | |
config.backend | |
config.backend.keepalives | |
config.backend.keepalives.enabled | |
config.backend.keepalives.time | |
config.backend.keepalives.interval | |
config.backend.keepalives.retries | |
config.backend.connectTimeout | |
config.backend.poolIdleTimeout | The maximum duration to keep an idle connection alive. |
config.backend.poolMaxSize | The maximum number of connections allowed in the pool, per hostname. If set, this will limit the total number of connections kept alive to any given host. Note: excess connections will still be created, they will just not remain idle. If unset, there is no limit |
config.hbone | |
config.hbone.windowSize | |
config.hbone.connectionWindowSize | |
config.hbone.frameSize | |
config.hbone.poolMaxStreamsPerConn | |
config.hbone.poolUnusedReleaseTimeout | |
binds | |
binds[].port | |
binds[].listeners | |
binds[].listeners[].name | |
binds[].listeners[].namespace | |
binds[].listeners[].hostname | Can be a wildcard |
binds[].listeners[].protocol | |
binds[].listeners[].tls | |
binds[].listeners[].tls.cert | |
binds[].listeners[].tls.key | |
binds[].listeners[].tls.root | |
binds[].listeners[].tls.cipherSuites | Optional cipher suite allowlist (order is preserved). |
binds[].listeners[].tls.minTLSVersion | Minimum supported TLS version (only TLS 1.2 and 1.3 are supported). |
binds[].listeners[].tls.maxTLSVersion | Maximum supported TLS version (only TLS 1.2 and 1.3 are supported). |
binds[].listeners[].routes | |
binds[].listeners[].routes[].name | |
binds[].listeners[].routes[].namespace | |
binds[].listeners[].routes[].ruleName | |
binds[].listeners[].routes[].hostnames | Can be a wildcard |
binds[].listeners[].routes[].matches | |
binds[].listeners[].routes[].matches[].headers | |
binds[].listeners[].routes[].matches[].headers[].name | |
binds[].listeners[].routes[].matches[].headers[].value | |
binds[].listeners[].routes[].matches[].headers[].value.(1)exact | |
binds[].listeners[].routes[].matches[].headers[].value.(1)regex | |
binds[].listeners[].routes[].matches[].path | |
binds[].listeners[].routes[].matches[].path.(1)exact | |
binds[].listeners[].routes[].matches[].path.(1)pathPrefix | |
binds[].listeners[].routes[].matches[].path.(1)regex | |
binds[].listeners[].routes[].matches[].method | |
binds[].listeners[].routes[].matches[].query | |
binds[].listeners[].routes[].matches[].query[].name | |
binds[].listeners[].routes[].matches[].query[].value | |
binds[].listeners[].routes[].matches[].query[].value.(1)exact | |
binds[].listeners[].routes[].matches[].query[].value.(1)regex | |
binds[].listeners[].routes[].policies | |
binds[].listeners[].routes[].policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.urlRewrite | Modify the URL path or authority. |
binds[].listeners[].routes[].policies.urlRewrite.authority | |
binds[].listeners[].routes[].policies.urlRewrite.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.urlRewrite.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.urlRewrite.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.urlRewrite.path | |
binds[].listeners[].routes[].policies.urlRewrite.path.(any)(1)full | |
binds[].listeners[].routes[].policies.urlRewrite.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.requestMirror | Mirror incoming requests to another destination. |
binds[].listeners[].routes[].policies.requestMirror.backend | |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)service | |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.name | |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.name.namespace | |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.name.hostname | |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)service.port | |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)host | Hostname or IP address |
binds[].listeners[].routes[].policies.requestMirror.backend.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].policies.requestMirror.percentage | |
binds[].listeners[].routes[].policies.directResponse | Directly respond to the request with a static response. |
binds[].listeners[].routes[].policies.directResponse.body | |
binds[].listeners[].routes[].policies.directResponse.status | |
binds[].listeners[].routes[].policies.cors | Handle CORS preflight requests and append configured CORS headers to applicable requests. |
binds[].listeners[].routes[].policies.cors.allowCredentials | |
binds[].listeners[].routes[].policies.cors.allowHeaders | |
binds[].listeners[].routes[].policies.cors.allowMethods | |
binds[].listeners[].routes[].policies.cors.allowOrigins | |
binds[].listeners[].routes[].policies.cors.exposeHeaders | |
binds[].listeners[].routes[].policies.cors.maxAge | |
binds[].listeners[].routes[].policies.mcpAuthorization | Authorization policies for MCP access. |
binds[].listeners[].routes[].policies.mcpAuthorization.rules | |
binds[].listeners[].routes[].policies.authorization | Authorization policies for HTTP access. |
binds[].listeners[].routes[].policies.authorization.rules | |
binds[].listeners[].routes[].policies.mcpAuthentication | Authentication for MCP clients. |
binds[].listeners[].routes[].policies.mcpAuthentication.issuer | |
binds[].listeners[].routes[].policies.mcpAuthentication.audiences | |
binds[].listeners[].routes[].policies.mcpAuthentication.provider | |
binds[].listeners[].routes[].policies.mcpAuthentication.provider.(any)(1)auth0 | |
binds[].listeners[].routes[].policies.mcpAuthentication.provider.(any)(1)keycloak | |
binds[].listeners[].routes[].policies.mcpAuthentication.resourceMetadata | |
binds[].listeners[].routes[].policies.mcpAuthentication.jwks | |
binds[].listeners[].routes[].policies.mcpAuthentication.jwks.(any)file | |
binds[].listeners[].routes[].policies.mcpAuthentication.jwks.(any)url | |
binds[].listeners[].routes[].policies.mcpAuthentication.mode | |
binds[].listeners[].routes[].policies.mcpAuthentication.jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
binds[].listeners[].routes[].policies.mcpAuthentication.jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
binds[].listeners[].routes[].policies.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
binds[].listeners[].routes[].policies.ai | Mark this as LLM traffic to enable LLM processing. |
binds[].listeners[].routes[].policies.ai.promptGuard | |
binds[].listeners[].routes[].policies.ai.promptGuard.request | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.action | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.rules | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.request[].rejection.headers.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.action | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.rules | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.body | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.status | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers.add | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers.set | |
binds[].listeners[].routes[].policies.ai.promptGuard.response[].rejection.headers.remove | |
binds[].listeners[].routes[].policies.ai.defaults | |
binds[].listeners[].routes[].policies.ai.overrides | |
binds[].listeners[].routes[].policies.ai.transformations | |
binds[].listeners[].routes[].policies.ai.prompts | |
binds[].listeners[].routes[].policies.ai.prompts.append | |
binds[].listeners[].routes[].policies.ai.prompts.append[].role | |
binds[].listeners[].routes[].policies.ai.prompts.append[].content | |
binds[].listeners[].routes[].policies.ai.prompts.prepend | |
binds[].listeners[].routes[].policies.ai.prompts.prepend[].role | |
binds[].listeners[].routes[].policies.ai.prompts.prepend[].content | |
binds[].listeners[].routes[].policies.ai.modelAliases | |
binds[].listeners[].routes[].policies.ai.promptCaching | |
binds[].listeners[].routes[].policies.ai.promptCaching.cacheSystem | |
binds[].listeners[].routes[].policies.ai.promptCaching.cacheMessages | |
binds[].listeners[].routes[].policies.ai.promptCaching.cacheTools | |
binds[].listeners[].routes[].policies.ai.promptCaching.minTokens | |
binds[].listeners[].routes[].policies.ai.routes | |
binds[].listeners[].routes[].policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.backendTLS.key | |
binds[].listeners[].routes[].policies.backendTLS.root | |
binds[].listeners[].routes[].policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.localRateLimit | Rate limit incoming requests. State is kept local. |
binds[].listeners[].routes[].policies.localRateLimit[].maxTokens | |
binds[].listeners[].routes[].policies.localRateLimit[].tokensPerFill | |
binds[].listeners[].routes[].policies.localRateLimit[].fillInterval | |
binds[].listeners[].routes[].policies.localRateLimit[].type | |
binds[].listeners[].routes[].policies.remoteRateLimit | Rate limit incoming requests. State is managed by a remote server. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.name | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.name.namespace | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.name.hostname | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)service.port | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)host | Hostname or IP address |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)domain | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies | Policies to connect to the backend |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.add | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.set | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.body | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.add | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.set | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.body | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.key | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.root | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.http.version | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].entries | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].entries[].key | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].entries[].value | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)descriptors[].type | |
binds[].listeners[].routes[].policies.remoteRateLimit.(any)failureMode | Behavior when the remote rate limit service is unavailable or returns an error. Defaults to failClosed, denying requests with a 500 status on service failure. |
binds[].listeners[].routes[].policies.jwtAuth | Authenticate incoming JWT requests. |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)mode | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].issuer | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].audiences | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwks | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwks.(any)file | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwks.(any)url | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)mode | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)issuer | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)audiences | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwks | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwks.(any)file | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwks.(any)url | |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
binds[].listeners[].routes[].policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
binds[].listeners[].routes[].policies.basicAuth | Authenticate incoming requests using Basic Authentication with htpasswd. |
binds[].listeners[].routes[].policies.basicAuth.htpasswd | .htpasswd file contents/reference |
binds[].listeners[].routes[].policies.basicAuth.htpasswd.(any)file | |
binds[].listeners[].routes[].policies.basicAuth.realm | Realm name for the WWW-Authenticate header |
binds[].listeners[].routes[].policies.basicAuth.mode | Validation mode for basic authentication |
binds[].listeners[].routes[].policies.apiKey | Authenticate incoming requests using API Keys |
binds[].listeners[].routes[].policies.apiKey.keys | List of API keys |
binds[].listeners[].routes[].policies.apiKey.keys[].key | |
binds[].listeners[].routes[].policies.apiKey.keys[].metadata | |
binds[].listeners[].routes[].policies.apiKey.mode | Validation mode for API keys |
binds[].listeners[].routes[].policies.extAuthz | Authenticate incoming requests by calling an external authorization server. |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)service | |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.name | |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.name.namespace | |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.name.hostname | |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)service.port | |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)host | Hostname or IP address |
binds[].listeners[].routes[].policies.extAuthz.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].policies.extAuthz.(any)policies | Policies to connect to the backend |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.add | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.set | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.body | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.add | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.set | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.body | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.key | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.root | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.http.version | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.extAuthz.(any)policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol | The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended. |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)grpc | |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)grpc.context | Additional context to send to the authorization service. This maps to the context_extensions field of the request, and only allows static values. |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)grpc.metadata | Additional metadata to send to the authorization service. This maps to the metadata_context.filter_metadata field of the request, and allows dynamic CEL expressions.If unset, by default the envoy.filters.http.jwt_authn key is set if the JWT policy is used as well, for compatibility. |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http | |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.path | |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.redirect | When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error. |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders | Specific headers from the authorization response will be copied into the request to the backend. |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.addRequestHeaders | Specific headers to add in the authorization request (empty = all headers), based on the expression |
binds[].listeners[].routes[].policies.extAuthz.(any)protocol.(1)http.metadata | Metadata to include under the extauthz variable, based on the authorization response. |
binds[].listeners[].routes[].policies.extAuthz.(any)failureMode | Behavior when the authorization service is unavailable or returns an error |
binds[].listeners[].routes[].policies.extAuthz.(any)failureMode.(1)denyWithStatus | |
binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestHeaders | Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’. |
binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody | Options for including the request body in the authorization request |
binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody.maxRequestBytes | Maximum size of request body to buffer (default: 8192) |
binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody.allowPartialMessage | If true, send partial body when max_request_bytes is reached |
binds[].listeners[].routes[].policies.extAuthz.(any)includeRequestBody.packAsBytes | If true, pack body as raw bytes in gRPC |
binds[].listeners[].routes[].policies.extProc | Extend agentgateway with an external processor |
binds[].listeners[].routes[].policies.extProc.(any)(1)service | |
binds[].listeners[].routes[].policies.extProc.(any)(1)service.name | |
binds[].listeners[].routes[].policies.extProc.(any)(1)service.name.namespace | |
binds[].listeners[].routes[].policies.extProc.(any)(1)service.name.hostname | |
binds[].listeners[].routes[].policies.extProc.(any)(1)service.port | |
binds[].listeners[].routes[].policies.extProc.(any)(1)host | Hostname or IP address |
binds[].listeners[].routes[].policies.extProc.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].policies.extProc.(any)policies | Policies to connect to the backend |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].policies.extProc.(any)policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.scheme | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.path | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].policies.extProc.(any)policies.requestRedirect.status | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.add | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.set | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.body | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.add | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.set | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.body | |
binds[].listeners[].routes[].policies.extProc.(any)policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.cert | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.key | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.root | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.hostname | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.insecure | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.alpn | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].policies.extProc.(any)policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].policies.extProc.(any)policies.http.version | |
binds[].listeners[].routes[].policies.extProc.(any)policies.http.requestTimeout | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.time | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.connectTimeout | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].policies.extProc.(any)policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].policies.extProc.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].policies.extProc.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].policies.extProc.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].policies.extProc.(any)policies.health.eviction.duration | |
binds[].listeners[].routes[].policies.extProc.(any)policies.health.healthThreshold | |
binds[].listeners[].routes[].policies.extProc.(any)policies.health.healthOnUnevict | |
binds[].listeners[].routes[].policies.extProc.(any)failureMode | Behavior when the ext_proc service is unavailable or returns an error |
binds[].listeners[].routes[].policies.extProc.(any)metadataContext | Additional metadata to send to the external processing service. Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions. |
binds[].listeners[].routes[].policies.extProc.(any)requestAttributes | Maps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
binds[].listeners[].routes[].policies.extProc.(any)responseAttributes | Maps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
binds[].listeners[].routes[].policies.transformations | Modify requests and responses |
binds[].listeners[].routes[].policies.transformations.request | |
binds[].listeners[].routes[].policies.transformations.request.add | |
binds[].listeners[].routes[].policies.transformations.request.set | |
binds[].listeners[].routes[].policies.transformations.request.remove | |
binds[].listeners[].routes[].policies.transformations.request.body | |
binds[].listeners[].routes[].policies.transformations.request.metadata | |
binds[].listeners[].routes[].policies.transformations.response | |
binds[].listeners[].routes[].policies.transformations.response.add | |
binds[].listeners[].routes[].policies.transformations.response.set | |
binds[].listeners[].routes[].policies.transformations.response.remove | |
binds[].listeners[].routes[].policies.transformations.response.body | |
binds[].listeners[].routes[].policies.transformations.response.metadata | |
binds[].listeners[].routes[].policies.csrf | Handle CSRF protection by validating request origins against configured allowed origins. |
binds[].listeners[].routes[].policies.csrf.additionalOrigins | |
binds[].listeners[].routes[].policies.timeout | Timeout requests that exceed the configured duration. |
binds[].listeners[].routes[].policies.timeout.requestTimeout | |
binds[].listeners[].routes[].policies.timeout.backendRequestTimeout | |
binds[].listeners[].routes[].policies.retry | Retry matching requests. |
binds[].listeners[].routes[].policies.retry.attempts | |
binds[].listeners[].routes[].policies.retry.backoff | |
binds[].listeners[].routes[].policies.retry.codes | |
binds[].listeners[].routes[].backends | |
binds[].listeners[].routes[].backends[].(1)service | |
binds[].listeners[].routes[].backends[].(1)service.name | |
binds[].listeners[].routes[].backends[].(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].(1)service.port | |
binds[].listeners[].routes[].backends[].(1)host | |
binds[].listeners[].routes[].backends[].(1)dynamic | |
binds[].listeners[].routes[].backends[].(1)mcp | |
binds[].listeners[].routes[].backends[].(1)mcp.targets | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse.host | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse.port | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)sse.path | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp.host | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp.port | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)mcp.path | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio.cmd | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio.args | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)stdio.env | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.host | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.port | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.path | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.schema | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.schema.(any)file | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].(1)openapi.schema.(any)url | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].name | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.http.version | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.mcpAuthorization | Authorization policies for MCP access. |
binds[].listeners[].routes[].backends[].(1)mcp.targets[].policies.mcpAuthorization.rules | |
binds[].listeners[].routes[].backends[].(1)mcp.statefulMode | |
binds[].listeners[].routes[].backends[].(1)mcp.prefixMode | |
binds[].listeners[].routes[].backends[].(1)ai | |
binds[].listeners[].routes[].backends[].(1)ai.(any)name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)openAI | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)openAI.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)gemini | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)gemini.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex.region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)vertex.projectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)anthropic | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)anthropic.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.guardrailIdentifier | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)bedrock.guardrailVersion | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI.host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)provider.(1)azureOpenAI.apiVersion | |
binds[].listeners[].routes[].backends[].(1)ai.(any)hostOverride | |
binds[].listeners[].routes[].backends[].(1)ai.(any)pathOverride | |
binds[].listeners[].routes[].backends[].(1)ai.(any)tokenize | Whether to tokenize on the request flow. This enables us to do more accurate rate limits, since we know (part of) the cost of the request upfront. This comes with the cost of an expensive operation. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.mcpAuthorization | Authorization policies for MCP access. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.mcpAuthorization.rules | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai | Mark this as LLM traffic to enable LLM processing. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.action | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.rules | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.request[].rejection.headers.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.action | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.rules | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptGuard.response[].rejection.headers.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.defaults | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.overrides | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.transformations | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.append | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.append[].role | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.append[].content | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.prepend | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.prepend[].role | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.prompts.prepend[].content | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.modelAliases | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.cacheSystem | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.cacheMessages | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.cacheTools | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.promptCaching.minTokens | |
binds[].listeners[].routes[].backends[].(1)ai.(any)policies.ai.routes | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)openAI | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)openAI.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)gemini | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)gemini.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex.region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)vertex.projectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)anthropic | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)anthropic.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.guardrailIdentifier | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)bedrock.guardrailVersion | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI.model | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI.host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].provider.(1)azureOpenAI.apiVersion | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].hostOverride | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].pathOverride | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].tokenize | Whether to tokenize on the request flow. This enables us to do more accurate rate limits, since we know (part of) the cost of the request upfront. This comes with the cost of an expensive operation. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.mcpAuthorization | Authorization policies for MCP access. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.mcpAuthorization.rules | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai | Mark this as LLM traffic to enable LLM processing. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.action | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.rules | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.request[].rejection.headers.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.action | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.rules | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.body | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.status | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers.add | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers.set | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptGuard.response[].rejection.headers.remove | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.defaults | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.overrides | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.transformations | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.append | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.append[].role | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.append[].content | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.prepend | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.prepend[].role | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.prompts.prepend[].content | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.modelAliases | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.cacheSystem | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.cacheMessages | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.cacheTools | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.promptCaching.minTokens | |
binds[].listeners[].routes[].backends[].(1)ai.(any)groups[].providers[].policies.ai.routes | |
binds[].listeners[].routes[].backends[].(1)aws | |
binds[].listeners[].routes[].backends[].(1)aws.(1)agentCore | |
binds[].listeners[].routes[].backends[].(1)aws.(1)agentCore.agentRuntimeArn | |
binds[].listeners[].routes[].backends[].(1)aws.(1)agentCore.qualifier | |
binds[].listeners[].routes[].backends[].weight | |
binds[].listeners[].routes[].backends[].policies | |
binds[].listeners[].routes[].backends[].policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].policies.transformations.request | |
binds[].listeners[].routes[].backends[].policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].policies.transformations.response | |
binds[].listeners[].routes[].backends[].policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].policies.http.version | |
binds[].listeners[].routes[].backends[].policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].policies.mcpAuthorization | Authorization policies for MCP access. |
binds[].listeners[].routes[].backends[].policies.mcpAuthorization.rules | |
binds[].listeners[].routes[].backends[].policies.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
binds[].listeners[].routes[].backends[].policies.ai | Mark this as LLM traffic to enable LLM processing. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.action | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.rules | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.request[].rejection.headers.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.action | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.rules | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.body | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.status | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers.add | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers.set | |
binds[].listeners[].routes[].backends[].policies.ai.promptGuard.response[].rejection.headers.remove | |
binds[].listeners[].routes[].backends[].policies.ai.defaults | |
binds[].listeners[].routes[].backends[].policies.ai.overrides | |
binds[].listeners[].routes[].backends[].policies.ai.transformations | |
binds[].listeners[].routes[].backends[].policies.ai.prompts | |
binds[].listeners[].routes[].backends[].policies.ai.prompts.append | |
binds[].listeners[].routes[].backends[].policies.ai.prompts.append[].role | |
binds[].listeners[].routes[].backends[].policies.ai.prompts.append[].content | |
binds[].listeners[].routes[].backends[].policies.ai.prompts.prepend | |
binds[].listeners[].routes[].backends[].policies.ai.prompts.prepend[].role | |
binds[].listeners[].routes[].backends[].policies.ai.prompts.prepend[].content | |
binds[].listeners[].routes[].backends[].policies.ai.modelAliases | |
binds[].listeners[].routes[].backends[].policies.ai.promptCaching | |
binds[].listeners[].routes[].backends[].policies.ai.promptCaching.cacheSystem | |
binds[].listeners[].routes[].backends[].policies.ai.promptCaching.cacheMessages | |
binds[].listeners[].routes[].backends[].policies.ai.promptCaching.cacheTools | |
binds[].listeners[].routes[].backends[].policies.ai.promptCaching.minTokens | |
binds[].listeners[].routes[].backends[].policies.ai.routes | |
binds[].listeners[].tcpRoutes | |
binds[].listeners[].tcpRoutes[].name | |
binds[].listeners[].tcpRoutes[].namespace | |
binds[].listeners[].tcpRoutes[].ruleName | |
binds[].listeners[].tcpRoutes[].hostnames | Can be a wildcard |
binds[].listeners[].tcpRoutes[].policies | |
binds[].listeners[].tcpRoutes[].policies.backendTLS | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.cert | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.key | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.root | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.hostname | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.insecure | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.insecureHost | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.alpn | |
binds[].listeners[].tcpRoutes[].policies.backendTLS.subjectAltNames | |
binds[].listeners[].tcpRoutes[].backends | |
binds[].listeners[].tcpRoutes[].backends[].(1)service | |
binds[].listeners[].tcpRoutes[].backends[].(1)service.name | |
binds[].listeners[].tcpRoutes[].backends[].(1)service.name.namespace | |
binds[].listeners[].tcpRoutes[].backends[].(1)service.name.hostname | |
binds[].listeners[].tcpRoutes[].backends[].(1)service.port | |
binds[].listeners[].tcpRoutes[].backends[].(1)host | Hostname or IP address |
binds[].listeners[].tcpRoutes[].backends[].(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].tcpRoutes[].backends[].weight | |
binds[].listeners[].tcpRoutes[].backends[].policies | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.cert | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.key | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.root | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.hostname | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.insecure | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.insecureHost | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.alpn | |
binds[].listeners[].tcpRoutes[].backends[].policies.backendTLS.subjectAltNames | |
binds[].listeners[].policies | |
binds[].listeners[].policies.jwtAuth | Authenticate incoming JWT requests. |
binds[].listeners[].policies.jwtAuth.(any)(any)mode | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].issuer | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].audiences | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwks | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwks.(any)file | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwks.(any)url | |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
binds[].listeners[].policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
binds[].listeners[].policies.jwtAuth.(any)(any)mode | |
binds[].listeners[].policies.jwtAuth.(any)(any)issuer | |
binds[].listeners[].policies.jwtAuth.(any)(any)audiences | |
binds[].listeners[].policies.jwtAuth.(any)(any)jwks | |
binds[].listeners[].policies.jwtAuth.(any)(any)jwks.(any)file | |
binds[].listeners[].policies.jwtAuth.(any)(any)jwks.(any)url | |
binds[].listeners[].policies.jwtAuth.(any)(any)jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
binds[].listeners[].policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
binds[].listeners[].policies.extAuthz | Authenticate incoming requests by calling an external authorization server. |
binds[].listeners[].policies.extAuthz.(any)(1)service | |
binds[].listeners[].policies.extAuthz.(any)(1)service.name | |
binds[].listeners[].policies.extAuthz.(any)(1)service.name.namespace | |
binds[].listeners[].policies.extAuthz.(any)(1)service.name.hostname | |
binds[].listeners[].policies.extAuthz.(any)(1)service.port | |
binds[].listeners[].policies.extAuthz.(any)(1)host | Hostname or IP address |
binds[].listeners[].policies.extAuthz.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].policies.extAuthz.(any)policies | Policies to connect to the backend |
binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier.add | |
binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier.set | |
binds[].listeners[].policies.extAuthz.(any)policies.requestHeaderModifier.remove | |
binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier.add | |
binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier.set | |
binds[].listeners[].policies.extAuthz.(any)policies.responseHeaderModifier.remove | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.scheme | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.path | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].policies.extAuthz.(any)policies.requestRedirect.status | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.request | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.add | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.set | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.remove | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.body | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.request.metadata | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.response | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.add | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.set | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.remove | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.body | |
binds[].listeners[].policies.extAuthz.(any)policies.transformations.response.metadata | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.cert | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.key | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.root | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.hostname | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.insecure | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.insecureHost | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.alpn | |
binds[].listeners[].policies.extAuthz.(any)policies.backendTLS.subjectAltNames | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].policies.extAuthz.(any)policies.http | Specify HTTP settings for the backend |
binds[].listeners[].policies.extAuthz.(any)policies.http.version | |
binds[].listeners[].policies.extAuthz.(any)policies.http.requestTimeout | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.enabled | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.time | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.interval | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.keepalives.retries | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.connectTimeout | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.connectTimeout.secs | |
binds[].listeners[].policies.extAuthz.(any)policies.tcp.connectTimeout.nanos | |
binds[].listeners[].policies.extAuthz.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].policies.extAuthz.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].policies.extAuthz.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].policies.extAuthz.(any)policies.health.eviction.duration | |
binds[].listeners[].policies.extAuthz.(any)policies.health.healthThreshold | |
binds[].listeners[].policies.extAuthz.(any)policies.health.healthOnUnevict | |
binds[].listeners[].policies.extAuthz.(any)protocol | The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended. |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)grpc | |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)grpc.context | Additional context to send to the authorization service. This maps to the context_extensions field of the request, and only allows static values. |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)grpc.metadata | Additional metadata to send to the authorization service. This maps to the metadata_context.filter_metadata field of the request, and allows dynamic CEL expressions.If unset, by default the envoy.filters.http.jwt_authn key is set if the JWT policy is used as well, for compatibility. |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)http | |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.path | |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.redirect | When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error. |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders | Specific headers from the authorization response will be copied into the request to the backend. |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.addRequestHeaders | Specific headers to add in the authorization request (empty = all headers), based on the expression |
binds[].listeners[].policies.extAuthz.(any)protocol.(1)http.metadata | Metadata to include under the extauthz variable, based on the authorization response. |
binds[].listeners[].policies.extAuthz.(any)failureMode | Behavior when the authorization service is unavailable or returns an error |
binds[].listeners[].policies.extAuthz.(any)failureMode.(1)denyWithStatus | |
binds[].listeners[].policies.extAuthz.(any)includeRequestHeaders | Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’. |
binds[].listeners[].policies.extAuthz.(any)includeRequestBody | Options for including the request body in the authorization request |
binds[].listeners[].policies.extAuthz.(any)includeRequestBody.maxRequestBytes | Maximum size of request body to buffer (default: 8192) |
binds[].listeners[].policies.extAuthz.(any)includeRequestBody.allowPartialMessage | If true, send partial body when max_request_bytes is reached |
binds[].listeners[].policies.extAuthz.(any)includeRequestBody.packAsBytes | If true, pack body as raw bytes in gRPC |
binds[].listeners[].policies.extProc | Extend agentgateway with an external processor |
binds[].listeners[].policies.extProc.(any)(1)service | |
binds[].listeners[].policies.extProc.(any)(1)service.name | |
binds[].listeners[].policies.extProc.(any)(1)service.name.namespace | |
binds[].listeners[].policies.extProc.(any)(1)service.name.hostname | |
binds[].listeners[].policies.extProc.(any)(1)service.port | |
binds[].listeners[].policies.extProc.(any)(1)host | Hostname or IP address |
binds[].listeners[].policies.extProc.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
binds[].listeners[].policies.extProc.(any)policies | Policies to connect to the backend |
binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier.add | |
binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier.set | |
binds[].listeners[].policies.extProc.(any)policies.requestHeaderModifier.remove | |
binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier.add | |
binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier.set | |
binds[].listeners[].policies.extProc.(any)policies.responseHeaderModifier.remove | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.scheme | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.path | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)full | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix | |
binds[].listeners[].policies.extProc.(any)policies.requestRedirect.status | |
binds[].listeners[].policies.extProc.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
binds[].listeners[].policies.extProc.(any)policies.transformations.request | |
binds[].listeners[].policies.extProc.(any)policies.transformations.request.add | |
binds[].listeners[].policies.extProc.(any)policies.transformations.request.set | |
binds[].listeners[].policies.extProc.(any)policies.transformations.request.remove | |
binds[].listeners[].policies.extProc.(any)policies.transformations.request.body | |
binds[].listeners[].policies.extProc.(any)policies.transformations.request.metadata | |
binds[].listeners[].policies.extProc.(any)policies.transformations.response | |
binds[].listeners[].policies.extProc.(any)policies.transformations.response.add | |
binds[].listeners[].policies.extProc.(any)policies.transformations.response.set | |
binds[].listeners[].policies.extProc.(any)policies.transformations.response.remove | |
binds[].listeners[].policies.extProc.(any)policies.transformations.response.body | |
binds[].listeners[].policies.extProc.(any)policies.transformations.response.metadata | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS | Send TLS to the backend. |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.cert | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.key | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.root | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.hostname | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.insecure | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.insecureHost | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.alpn | |
binds[].listeners[].policies.extProc.(any)policies.backendTLS.subjectAltNames | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth | Authenticate to the backend. |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)passthrough | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)key | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
binds[].listeners[].policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
binds[].listeners[].policies.extProc.(any)policies.http | Specify HTTP settings for the backend |
binds[].listeners[].policies.extProc.(any)policies.http.version | |
binds[].listeners[].policies.extProc.(any)policies.http.requestTimeout | |
binds[].listeners[].policies.extProc.(any)policies.tcp | Specify TCP settings for the backend |
binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives | |
binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.enabled | |
binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.time | |
binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.interval | |
binds[].listeners[].policies.extProc.(any)policies.tcp.keepalives.retries | |
binds[].listeners[].policies.extProc.(any)policies.tcp.connectTimeout | |
binds[].listeners[].policies.extProc.(any)policies.tcp.connectTimeout.secs | |
binds[].listeners[].policies.extProc.(any)policies.tcp.connectTimeout.nanos | |
binds[].listeners[].policies.extProc.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
binds[].listeners[].policies.extProc.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
binds[].listeners[].policies.extProc.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
binds[].listeners[].policies.extProc.(any)policies.health.eviction.duration | |
binds[].listeners[].policies.extProc.(any)policies.health.healthThreshold | |
binds[].listeners[].policies.extProc.(any)policies.health.healthOnUnevict | |
binds[].listeners[].policies.extProc.(any)failureMode | Behavior when the ext_proc service is unavailable or returns an error |
binds[].listeners[].policies.extProc.(any)metadataContext | Additional metadata to send to the external processing service. Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions. |
binds[].listeners[].policies.extProc.(any)requestAttributes | Maps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
binds[].listeners[].policies.extProc.(any)responseAttributes | Maps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
binds[].listeners[].policies.transformations | Modify requests and responses |
binds[].listeners[].policies.transformations.request | |
binds[].listeners[].policies.transformations.request.add | |
binds[].listeners[].policies.transformations.request.set | |
binds[].listeners[].policies.transformations.request.remove | |
binds[].listeners[].policies.transformations.request.body | |
binds[].listeners[].policies.transformations.request.metadata | |
binds[].listeners[].policies.transformations.response | |
binds[].listeners[].policies.transformations.response.add | |
binds[].listeners[].policies.transformations.response.set | |
binds[].listeners[].policies.transformations.response.remove | |
binds[].listeners[].policies.transformations.response.body | |
binds[].listeners[].policies.transformations.response.metadata | |
binds[].listeners[].policies.basicAuth | Authenticate incoming requests using Basic Authentication with htpasswd. |
binds[].listeners[].policies.basicAuth.htpasswd | .htpasswd file contents/reference |
binds[].listeners[].policies.basicAuth.htpasswd.(any)file | |
binds[].listeners[].policies.basicAuth.realm | Realm name for the WWW-Authenticate header |
binds[].listeners[].policies.basicAuth.mode | Validation mode for basic authentication |
binds[].listeners[].policies.apiKey | Authenticate incoming requests using API Keys |
binds[].listeners[].policies.apiKey.keys | List of API keys |
binds[].listeners[].policies.apiKey.keys[].key | |
binds[].listeners[].policies.apiKey.keys[].metadata | |
binds[].listeners[].policies.apiKey.mode | Validation mode for API keys |
binds[].tunnelProtocol | |
frontendPolicies | |
frontendPolicies.http | Settings for handling incoming HTTP requests. |
frontendPolicies.http.maxBufferSize | |
frontendPolicies.http.http1MaxHeaders | The maximum number of headers allowed in a request. Changing this value results in a performance degradation, even if set to a lower value than the default (100) |
frontendPolicies.http.http1IdleTimeout | |
frontendPolicies.http.http2WindowSize | |
frontendPolicies.http.http2ConnectionWindowSize | |
frontendPolicies.http.http2FrameSize | |
frontendPolicies.http.http2KeepaliveInterval | |
frontendPolicies.http.http2KeepaliveTimeout | |
frontendPolicies.tls | Settings for handling incoming TLS connections. |
frontendPolicies.tls.handshakeTimeout | |
frontendPolicies.tls.alpn | |
frontendPolicies.tls.minVersion | |
frontendPolicies.tls.maxVersion | |
frontendPolicies.tls.cipherSuites | |
frontendPolicies.tcp | Settings for handling incoming TCP connections. |
frontendPolicies.tcp.keepalives | |
frontendPolicies.tcp.keepalives.enabled | |
frontendPolicies.tcp.keepalives.time | |
frontendPolicies.tcp.keepalives.interval | |
frontendPolicies.tcp.keepalives.retries | |
frontendPolicies.accessLog | Settings for request access logs. |
frontendPolicies.accessLog.filter | |
frontendPolicies.accessLog.add | |
frontendPolicies.accessLog.remove | |
frontendPolicies.accessLog.otlp | |
frontendPolicies.accessLog.otlp.(any)(1)service | |
frontendPolicies.accessLog.otlp.(any)(1)service.name | |
frontendPolicies.accessLog.otlp.(any)(1)service.name.namespace | |
frontendPolicies.accessLog.otlp.(any)(1)service.name.hostname | |
frontendPolicies.accessLog.otlp.(any)(1)service.port | |
frontendPolicies.accessLog.otlp.(any)(1)host | Hostname or IP address |
frontendPolicies.accessLog.otlp.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
frontendPolicies.accessLog.otlp.(any)policies | |
frontendPolicies.accessLog.otlp.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
frontendPolicies.accessLog.otlp.(any)policies.requestHeaderModifier.add | |
frontendPolicies.accessLog.otlp.(any)policies.requestHeaderModifier.set | |
frontendPolicies.accessLog.otlp.(any)policies.requestHeaderModifier.remove | |
frontendPolicies.accessLog.otlp.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
frontendPolicies.accessLog.otlp.(any)policies.responseHeaderModifier.add | |
frontendPolicies.accessLog.otlp.(any)policies.responseHeaderModifier.set | |
frontendPolicies.accessLog.otlp.(any)policies.responseHeaderModifier.remove | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.scheme | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.authority | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.authority.(any)(1)full | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.authority.(any)(1)host | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.authority.(any)(1)port | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.path | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.path.(any)(1)full | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.path.(any)(1)prefix | |
frontendPolicies.accessLog.otlp.(any)policies.requestRedirect.status | |
frontendPolicies.accessLog.otlp.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
frontendPolicies.accessLog.otlp.(any)policies.transformations.request | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.request.add | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.request.set | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.request.remove | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.request.body | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.request.metadata | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.response | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.response.add | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.response.set | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.response.remove | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.response.body | |
frontendPolicies.accessLog.otlp.(any)policies.transformations.response.metadata | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS | Send TLS to the backend. |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.cert | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.key | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.root | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.hostname | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.insecure | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.insecureHost | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.alpn | |
frontendPolicies.accessLog.otlp.(any)policies.backendTLS.subjectAltNames | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth | Authenticate to the backend. |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)passthrough | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)key | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)key.(any)file | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)gcp | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)aws | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)aws.(any)region | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
frontendPolicies.accessLog.otlp.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
frontendPolicies.accessLog.otlp.(any)policies.http | Specify HTTP settings for the backend |
frontendPolicies.accessLog.otlp.(any)policies.http.version | |
frontendPolicies.accessLog.otlp.(any)policies.http.requestTimeout | |
frontendPolicies.accessLog.otlp.(any)policies.tcp | Specify TCP settings for the backend |
frontendPolicies.accessLog.otlp.(any)policies.tcp.keepalives | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.keepalives.enabled | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.keepalives.time | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.keepalives.interval | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.keepalives.retries | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.connectTimeout | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.connectTimeout.secs | |
frontendPolicies.accessLog.otlp.(any)policies.tcp.connectTimeout.nanos | |
frontendPolicies.accessLog.otlp.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
frontendPolicies.accessLog.otlp.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
frontendPolicies.accessLog.otlp.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
frontendPolicies.accessLog.otlp.(any)policies.health.eviction.duration | |
frontendPolicies.accessLog.otlp.(any)policies.health.healthThreshold | |
frontendPolicies.accessLog.otlp.(any)policies.health.healthOnUnevict | |
frontendPolicies.accessLog.otlp.(any)protocol | |
frontendPolicies.accessLog.otlp.(any)path | |
frontendPolicies.tracing | |
frontendPolicies.tracing.(any)(1)service | |
frontendPolicies.tracing.(any)(1)service.name | |
frontendPolicies.tracing.(any)(1)service.name.namespace | |
frontendPolicies.tracing.(any)(1)service.name.hostname | |
frontendPolicies.tracing.(any)(1)service.port | |
frontendPolicies.tracing.(any)(1)host | Hostname or IP address |
frontendPolicies.tracing.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
frontendPolicies.tracing.(any)policies | Policies to connect to the backend |
frontendPolicies.tracing.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
frontendPolicies.tracing.(any)policies.requestHeaderModifier.add | |
frontendPolicies.tracing.(any)policies.requestHeaderModifier.set | |
frontendPolicies.tracing.(any)policies.requestHeaderModifier.remove | |
frontendPolicies.tracing.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
frontendPolicies.tracing.(any)policies.responseHeaderModifier.add | |
frontendPolicies.tracing.(any)policies.responseHeaderModifier.set | |
frontendPolicies.tracing.(any)policies.responseHeaderModifier.remove | |
frontendPolicies.tracing.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
frontendPolicies.tracing.(any)policies.requestRedirect.scheme | |
frontendPolicies.tracing.(any)policies.requestRedirect.authority | |
frontendPolicies.tracing.(any)policies.requestRedirect.authority.(any)(1)full | |
frontendPolicies.tracing.(any)policies.requestRedirect.authority.(any)(1)host | |
frontendPolicies.tracing.(any)policies.requestRedirect.authority.(any)(1)port | |
frontendPolicies.tracing.(any)policies.requestRedirect.path | |
frontendPolicies.tracing.(any)policies.requestRedirect.path.(any)(1)full | |
frontendPolicies.tracing.(any)policies.requestRedirect.path.(any)(1)prefix | |
frontendPolicies.tracing.(any)policies.requestRedirect.status | |
frontendPolicies.tracing.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
frontendPolicies.tracing.(any)policies.transformations.request | |
frontendPolicies.tracing.(any)policies.transformations.request.add | |
frontendPolicies.tracing.(any)policies.transformations.request.set | |
frontendPolicies.tracing.(any)policies.transformations.request.remove | |
frontendPolicies.tracing.(any)policies.transformations.request.body | |
frontendPolicies.tracing.(any)policies.transformations.request.metadata | |
frontendPolicies.tracing.(any)policies.transformations.response | |
frontendPolicies.tracing.(any)policies.transformations.response.add | |
frontendPolicies.tracing.(any)policies.transformations.response.set | |
frontendPolicies.tracing.(any)policies.transformations.response.remove | |
frontendPolicies.tracing.(any)policies.transformations.response.body | |
frontendPolicies.tracing.(any)policies.transformations.response.metadata | |
frontendPolicies.tracing.(any)policies.backendTLS | Send TLS to the backend. |
frontendPolicies.tracing.(any)policies.backendTLS.cert | |
frontendPolicies.tracing.(any)policies.backendTLS.key | |
frontendPolicies.tracing.(any)policies.backendTLS.root | |
frontendPolicies.tracing.(any)policies.backendTLS.hostname | |
frontendPolicies.tracing.(any)policies.backendTLS.insecure | |
frontendPolicies.tracing.(any)policies.backendTLS.insecureHost | |
frontendPolicies.tracing.(any)policies.backendTLS.alpn | |
frontendPolicies.tracing.(any)policies.backendTLS.subjectAltNames | |
frontendPolicies.tracing.(any)policies.backendAuth | Authenticate to the backend. |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)passthrough | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)key | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)key.(any)file | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)region | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
frontendPolicies.tracing.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
frontendPolicies.tracing.(any)policies.http | Specify HTTP settings for the backend |
frontendPolicies.tracing.(any)policies.http.version | |
frontendPolicies.tracing.(any)policies.http.requestTimeout | |
frontendPolicies.tracing.(any)policies.tcp | Specify TCP settings for the backend |
frontendPolicies.tracing.(any)policies.tcp.keepalives | |
frontendPolicies.tracing.(any)policies.tcp.keepalives.enabled | |
frontendPolicies.tracing.(any)policies.tcp.keepalives.time | |
frontendPolicies.tracing.(any)policies.tcp.keepalives.interval | |
frontendPolicies.tracing.(any)policies.tcp.keepalives.retries | |
frontendPolicies.tracing.(any)policies.tcp.connectTimeout | |
frontendPolicies.tracing.(any)policies.tcp.connectTimeout.secs | |
frontendPolicies.tracing.(any)policies.tcp.connectTimeout.nanos | |
frontendPolicies.tracing.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
frontendPolicies.tracing.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
frontendPolicies.tracing.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
frontendPolicies.tracing.(any)policies.health.eviction.duration | |
frontendPolicies.tracing.(any)policies.health.healthThreshold | |
frontendPolicies.tracing.(any)policies.health.healthOnUnevict | |
frontendPolicies.tracing.(any)attributes | Span attributes to add, keyed by attribute name. |
frontendPolicies.tracing.(any)resources | Resource attributes to add to the tracer provider (OTel Resource).This can be used to set things like service.name dynamically. |
frontendPolicies.tracing.(any)remove | Attribute keys to remove from the emitted span attributes. This is applied before attributes are evaluated/added, so it can be used to dropdefault attributes or avoid duplication. |
frontendPolicies.tracing.(any)randomSampling | Optional per-policy override for random sampling. If set, overrides global config for requests that use this frontend policy. |
frontendPolicies.tracing.(any)clientSampling | Optional per-policy override for client sampling. If set, overrides global config for requests that use this frontend policy. |
frontendPolicies.tracing.(any)path | |
frontendPolicies.tracing.(any)protocol | |
policies | policies defines additional policies that can be attached to various other configurations. This is an advanced feature; users should typically use the inline policies field under route/gateway. |
policies[].name | |
policies[].name.name | |
policies[].name.namespace | |
policies[].target | |
policies[].target.(1)gateway | |
policies[].target.(1)gateway.gatewayName | |
policies[].target.(1)gateway.gatewayNamespace | |
policies[].target.(1)gateway.listenerName | |
policies[].target.(1)route | |
policies[].target.(1)route.name | |
policies[].target.(1)route.namespace | |
policies[].target.(1)route.ruleName | |
policies[].target.(1)route.kind | |
policies[].target.(1)backend | |
policies[].target.(1)backend.(1)backend | |
policies[].target.(1)backend.(1)backend.name | |
policies[].target.(1)backend.(1)backend.namespace | |
policies[].target.(1)backend.(1)backend.section | |
policies[].target.(1)backend.(1)service | |
policies[].target.(1)backend.(1)service.hostname | |
policies[].target.(1)backend.(1)service.namespace | |
policies[].target.(1)backend.(1)service.port | |
policies[].phase | phase defines at what level the policy runs at. Gateway policies run pre-routing, while Route policies apply post-routing. Only a subset of policies are eligible as Gateway policies. In general, normal (route level) policies should be used, except you need the policy to influence routing. |
policies[].policy | |
policies[].policy.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.requestHeaderModifier.add | |
policies[].policy.requestHeaderModifier.set | |
policies[].policy.requestHeaderModifier.remove | |
policies[].policy.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.responseHeaderModifier.add | |
policies[].policy.responseHeaderModifier.set | |
policies[].policy.responseHeaderModifier.remove | |
policies[].policy.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.requestRedirect.scheme | |
policies[].policy.requestRedirect.authority | |
policies[].policy.requestRedirect.authority.(any)(1)full | |
policies[].policy.requestRedirect.authority.(any)(1)host | |
policies[].policy.requestRedirect.authority.(any)(1)port | |
policies[].policy.requestRedirect.path | |
policies[].policy.requestRedirect.path.(any)(1)full | |
policies[].policy.requestRedirect.path.(any)(1)prefix | |
policies[].policy.requestRedirect.status | |
policies[].policy.urlRewrite | Modify the URL path or authority. |
policies[].policy.urlRewrite.authority | |
policies[].policy.urlRewrite.authority.(any)(1)full | |
policies[].policy.urlRewrite.authority.(any)(1)host | |
policies[].policy.urlRewrite.authority.(any)(1)port | |
policies[].policy.urlRewrite.path | |
policies[].policy.urlRewrite.path.(any)(1)full | |
policies[].policy.urlRewrite.path.(any)(1)prefix | |
policies[].policy.requestMirror | Mirror incoming requests to another destination. |
policies[].policy.requestMirror.backend | |
policies[].policy.requestMirror.backend.(1)service | |
policies[].policy.requestMirror.backend.(1)service.name | |
policies[].policy.requestMirror.backend.(1)service.name.namespace | |
policies[].policy.requestMirror.backend.(1)service.name.hostname | |
policies[].policy.requestMirror.backend.(1)service.port | |
policies[].policy.requestMirror.backend.(1)host | Hostname or IP address |
policies[].policy.requestMirror.backend.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
policies[].policy.requestMirror.percentage | |
policies[].policy.directResponse | Directly respond to the request with a static response. |
policies[].policy.directResponse.body | |
policies[].policy.directResponse.status | |
policies[].policy.cors | Handle CORS preflight requests and append configured CORS headers to applicable requests. |
policies[].policy.cors.allowCredentials | |
policies[].policy.cors.allowHeaders | |
policies[].policy.cors.allowMethods | |
policies[].policy.cors.allowOrigins | |
policies[].policy.cors.exposeHeaders | |
policies[].policy.cors.maxAge | |
policies[].policy.mcpAuthorization | Authorization policies for MCP access. |
policies[].policy.mcpAuthorization.rules | |
policies[].policy.authorization | Authorization policies for HTTP access. |
policies[].policy.authorization.rules | |
policies[].policy.mcpAuthentication | Authentication for MCP clients. |
policies[].policy.mcpAuthentication.issuer | |
policies[].policy.mcpAuthentication.audiences | |
policies[].policy.mcpAuthentication.provider | |
policies[].policy.mcpAuthentication.provider.(any)(1)auth0 | |
policies[].policy.mcpAuthentication.provider.(any)(1)keycloak | |
policies[].policy.mcpAuthentication.resourceMetadata | |
policies[].policy.mcpAuthentication.jwks | |
policies[].policy.mcpAuthentication.jwks.(any)file | |
policies[].policy.mcpAuthentication.jwks.(any)url | |
policies[].policy.mcpAuthentication.mode | |
policies[].policy.mcpAuthentication.jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
policies[].policy.mcpAuthentication.jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
policies[].policy.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
policies[].policy.ai | Mark this as LLM traffic to enable LLM processing. |
policies[].policy.ai.promptGuard | |
policies[].policy.ai.promptGuard.request | |
policies[].policy.ai.promptGuard.request[].(1)regex | |
policies[].policy.ai.promptGuard.request[].(1)regex.action | |
policies[].policy.ai.promptGuard.request[].(1)regex.rules | |
policies[].policy.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
policies[].policy.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
policies[].policy.ai.promptGuard.request[].(1)webhook | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
policies[].policy.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
policies[].policy.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
policies[].policy.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
policies[].policy.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
policies[].policy.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
policies[].policy.ai.promptGuard.request[].rejection | |
policies[].policy.ai.promptGuard.request[].rejection.body | |
policies[].policy.ai.promptGuard.request[].rejection.status | |
policies[].policy.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
policies[].policy.ai.promptGuard.request[].rejection.headers.add | |
policies[].policy.ai.promptGuard.request[].rejection.headers.set | |
policies[].policy.ai.promptGuard.request[].rejection.headers.remove | |
policies[].policy.ai.promptGuard.response | |
policies[].policy.ai.promptGuard.response[].(1)regex | |
policies[].policy.ai.promptGuard.response[].(1)regex.action | |
policies[].policy.ai.promptGuard.response[].(1)regex.rules | |
policies[].policy.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
policies[].policy.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
policies[].policy.ai.promptGuard.response[].(1)webhook | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
policies[].policy.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
policies[].policy.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
policies[].policy.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
policies[].policy.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
policies[].policy.ai.promptGuard.response[].rejection | |
policies[].policy.ai.promptGuard.response[].rejection.body | |
policies[].policy.ai.promptGuard.response[].rejection.status | |
policies[].policy.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
policies[].policy.ai.promptGuard.response[].rejection.headers.add | |
policies[].policy.ai.promptGuard.response[].rejection.headers.set | |
policies[].policy.ai.promptGuard.response[].rejection.headers.remove | |
policies[].policy.ai.defaults | |
policies[].policy.ai.overrides | |
policies[].policy.ai.transformations | |
policies[].policy.ai.prompts | |
policies[].policy.ai.prompts.append | |
policies[].policy.ai.prompts.append[].role | |
policies[].policy.ai.prompts.append[].content | |
policies[].policy.ai.prompts.prepend | |
policies[].policy.ai.prompts.prepend[].role | |
policies[].policy.ai.prompts.prepend[].content | |
policies[].policy.ai.modelAliases | |
policies[].policy.ai.promptCaching | |
policies[].policy.ai.promptCaching.cacheSystem | |
policies[].policy.ai.promptCaching.cacheMessages | |
policies[].policy.ai.promptCaching.cacheTools | |
policies[].policy.ai.promptCaching.minTokens | |
policies[].policy.ai.routes | |
policies[].policy.backendTLS | Send TLS to the backend. |
policies[].policy.backendTLS.cert | |
policies[].policy.backendTLS.key | |
policies[].policy.backendTLS.root | |
policies[].policy.backendTLS.hostname | |
policies[].policy.backendTLS.insecure | |
policies[].policy.backendTLS.insecureHost | |
policies[].policy.backendTLS.alpn | |
policies[].policy.backendTLS.subjectAltNames | |
policies[].policy.backendAuth | Authenticate to the backend. |
policies[].policy.backendAuth.(any)(1)passthrough | |
policies[].policy.backendAuth.(any)(1)key | |
policies[].policy.backendAuth.(any)(1)key.(any)file | |
policies[].policy.backendAuth.(any)(1)gcp | |
policies[].policy.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.backendAuth.(any)(1)aws | |
policies[].policy.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.backendAuth.(any)(1)azure | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.localRateLimit | Rate limit incoming requests. State is kept local. |
policies[].policy.localRateLimit[].maxTokens | |
policies[].policy.localRateLimit[].tokensPerFill | |
policies[].policy.localRateLimit[].fillInterval | |
policies[].policy.localRateLimit[].type | |
policies[].policy.remoteRateLimit | Rate limit incoming requests. State is managed by a remote server. |
policies[].policy.remoteRateLimit.(any)(1)service | |
policies[].policy.remoteRateLimit.(any)(1)service.name | |
policies[].policy.remoteRateLimit.(any)(1)service.name.namespace | |
policies[].policy.remoteRateLimit.(any)(1)service.name.hostname | |
policies[].policy.remoteRateLimit.(any)(1)service.port | |
policies[].policy.remoteRateLimit.(any)(1)host | Hostname or IP address |
policies[].policy.remoteRateLimit.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
policies[].policy.remoteRateLimit.(any)domain | |
policies[].policy.remoteRateLimit.(any)policies | Policies to connect to the backend |
policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier.add | |
policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier.set | |
policies[].policy.remoteRateLimit.(any)policies.requestHeaderModifier.remove | |
policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier.add | |
policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier.set | |
policies[].policy.remoteRateLimit.(any)policies.responseHeaderModifier.remove | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.scheme | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.path | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)full | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.remoteRateLimit.(any)policies.requestRedirect.status | |
policies[].policy.remoteRateLimit.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.remoteRateLimit.(any)policies.transformations.request | |
policies[].policy.remoteRateLimit.(any)policies.transformations.request.add | |
policies[].policy.remoteRateLimit.(any)policies.transformations.request.set | |
policies[].policy.remoteRateLimit.(any)policies.transformations.request.remove | |
policies[].policy.remoteRateLimit.(any)policies.transformations.request.body | |
policies[].policy.remoteRateLimit.(any)policies.transformations.request.metadata | |
policies[].policy.remoteRateLimit.(any)policies.transformations.response | |
policies[].policy.remoteRateLimit.(any)policies.transformations.response.add | |
policies[].policy.remoteRateLimit.(any)policies.transformations.response.set | |
policies[].policy.remoteRateLimit.(any)policies.transformations.response.remove | |
policies[].policy.remoteRateLimit.(any)policies.transformations.response.body | |
policies[].policy.remoteRateLimit.(any)policies.transformations.response.metadata | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS | Send TLS to the backend. |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.cert | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.key | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.root | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.hostname | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.insecure | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.insecureHost | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.alpn | |
policies[].policy.remoteRateLimit.(any)policies.backendTLS.subjectAltNames | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth | Authenticate to the backend. |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)passthrough | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)key | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.remoteRateLimit.(any)policies.http | Specify HTTP settings for the backend |
policies[].policy.remoteRateLimit.(any)policies.http.version | |
policies[].policy.remoteRateLimit.(any)policies.http.requestTimeout | |
policies[].policy.remoteRateLimit.(any)policies.tcp | Specify TCP settings for the backend |
policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives | |
policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.enabled | |
policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.time | |
policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.interval | |
policies[].policy.remoteRateLimit.(any)policies.tcp.keepalives.retries | |
policies[].policy.remoteRateLimit.(any)policies.tcp.connectTimeout | |
policies[].policy.remoteRateLimit.(any)policies.tcp.connectTimeout.secs | |
policies[].policy.remoteRateLimit.(any)policies.tcp.connectTimeout.nanos | |
policies[].policy.remoteRateLimit.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.remoteRateLimit.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.remoteRateLimit.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.remoteRateLimit.(any)policies.health.eviction.duration | |
policies[].policy.remoteRateLimit.(any)policies.health.healthThreshold | |
policies[].policy.remoteRateLimit.(any)policies.health.healthOnUnevict | |
policies[].policy.remoteRateLimit.(any)descriptors | |
policies[].policy.remoteRateLimit.(any)descriptors[].entries | |
policies[].policy.remoteRateLimit.(any)descriptors[].entries[].key | |
policies[].policy.remoteRateLimit.(any)descriptors[].entries[].value | |
policies[].policy.remoteRateLimit.(any)descriptors[].type | |
policies[].policy.remoteRateLimit.(any)failureMode | Behavior when the remote rate limit service is unavailable or returns an error. Defaults to failClosed, denying requests with a 500 status on service failure. |
policies[].policy.jwtAuth | Authenticate incoming JWT requests. |
policies[].policy.jwtAuth.(any)(any)mode | |
policies[].policy.jwtAuth.(any)(any)providers | |
policies[].policy.jwtAuth.(any)(any)providers[].issuer | |
policies[].policy.jwtAuth.(any)(any)providers[].audiences | |
policies[].policy.jwtAuth.(any)(any)providers[].jwks | |
policies[].policy.jwtAuth.(any)(any)providers[].jwks.(any)file | |
policies[].policy.jwtAuth.(any)(any)providers[].jwks.(any)url | |
policies[].policy.jwtAuth.(any)(any)providers[].jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
policies[].policy.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
policies[].policy.jwtAuth.(any)(any)mode | |
policies[].policy.jwtAuth.(any)(any)issuer | |
policies[].policy.jwtAuth.(any)(any)audiences | |
policies[].policy.jwtAuth.(any)(any)jwks | |
policies[].policy.jwtAuth.(any)(any)jwks.(any)file | |
policies[].policy.jwtAuth.(any)(any)jwks.(any)url | |
policies[].policy.jwtAuth.(any)(any)jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
policies[].policy.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
policies[].policy.basicAuth | Authenticate incoming requests using Basic Authentication with htpasswd. |
policies[].policy.basicAuth.htpasswd | .htpasswd file contents/reference |
policies[].policy.basicAuth.htpasswd.(any)file | |
policies[].policy.basicAuth.realm | Realm name for the WWW-Authenticate header |
policies[].policy.basicAuth.mode | Validation mode for basic authentication |
policies[].policy.apiKey | Authenticate incoming requests using API Keys |
policies[].policy.apiKey.keys | List of API keys |
policies[].policy.apiKey.keys[].key | |
policies[].policy.apiKey.keys[].metadata | |
policies[].policy.apiKey.mode | Validation mode for API keys |
policies[].policy.extAuthz | Authenticate incoming requests by calling an external authorization server. |
policies[].policy.extAuthz.(any)(1)service | |
policies[].policy.extAuthz.(any)(1)service.name | |
policies[].policy.extAuthz.(any)(1)service.name.namespace | |
policies[].policy.extAuthz.(any)(1)service.name.hostname | |
policies[].policy.extAuthz.(any)(1)service.port | |
policies[].policy.extAuthz.(any)(1)host | Hostname or IP address |
policies[].policy.extAuthz.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
policies[].policy.extAuthz.(any)policies | Policies to connect to the backend |
policies[].policy.extAuthz.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.extAuthz.(any)policies.requestHeaderModifier.add | |
policies[].policy.extAuthz.(any)policies.requestHeaderModifier.set | |
policies[].policy.extAuthz.(any)policies.requestHeaderModifier.remove | |
policies[].policy.extAuthz.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.extAuthz.(any)policies.responseHeaderModifier.add | |
policies[].policy.extAuthz.(any)policies.responseHeaderModifier.set | |
policies[].policy.extAuthz.(any)policies.responseHeaderModifier.remove | |
policies[].policy.extAuthz.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.extAuthz.(any)policies.requestRedirect.scheme | |
policies[].policy.extAuthz.(any)policies.requestRedirect.authority | |
policies[].policy.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.extAuthz.(any)policies.requestRedirect.path | |
policies[].policy.extAuthz.(any)policies.requestRedirect.path.(any)(1)full | |
policies[].policy.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.extAuthz.(any)policies.requestRedirect.status | |
policies[].policy.extAuthz.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.extAuthz.(any)policies.transformations.request | |
policies[].policy.extAuthz.(any)policies.transformations.request.add | |
policies[].policy.extAuthz.(any)policies.transformations.request.set | |
policies[].policy.extAuthz.(any)policies.transformations.request.remove | |
policies[].policy.extAuthz.(any)policies.transformations.request.body | |
policies[].policy.extAuthz.(any)policies.transformations.request.metadata | |
policies[].policy.extAuthz.(any)policies.transformations.response | |
policies[].policy.extAuthz.(any)policies.transformations.response.add | |
policies[].policy.extAuthz.(any)policies.transformations.response.set | |
policies[].policy.extAuthz.(any)policies.transformations.response.remove | |
policies[].policy.extAuthz.(any)policies.transformations.response.body | |
policies[].policy.extAuthz.(any)policies.transformations.response.metadata | |
policies[].policy.extAuthz.(any)policies.backendTLS | Send TLS to the backend. |
policies[].policy.extAuthz.(any)policies.backendTLS.cert | |
policies[].policy.extAuthz.(any)policies.backendTLS.key | |
policies[].policy.extAuthz.(any)policies.backendTLS.root | |
policies[].policy.extAuthz.(any)policies.backendTLS.hostname | |
policies[].policy.extAuthz.(any)policies.backendTLS.insecure | |
policies[].policy.extAuthz.(any)policies.backendTLS.insecureHost | |
policies[].policy.extAuthz.(any)policies.backendTLS.alpn | |
policies[].policy.extAuthz.(any)policies.backendTLS.subjectAltNames | |
policies[].policy.extAuthz.(any)policies.backendAuth | Authenticate to the backend. |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)passthrough | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)key | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.extAuthz.(any)policies.http | Specify HTTP settings for the backend |
policies[].policy.extAuthz.(any)policies.http.version | |
policies[].policy.extAuthz.(any)policies.http.requestTimeout | |
policies[].policy.extAuthz.(any)policies.tcp | Specify TCP settings for the backend |
policies[].policy.extAuthz.(any)policies.tcp.keepalives | |
policies[].policy.extAuthz.(any)policies.tcp.keepalives.enabled | |
policies[].policy.extAuthz.(any)policies.tcp.keepalives.time | |
policies[].policy.extAuthz.(any)policies.tcp.keepalives.interval | |
policies[].policy.extAuthz.(any)policies.tcp.keepalives.retries | |
policies[].policy.extAuthz.(any)policies.tcp.connectTimeout | |
policies[].policy.extAuthz.(any)policies.tcp.connectTimeout.secs | |
policies[].policy.extAuthz.(any)policies.tcp.connectTimeout.nanos | |
policies[].policy.extAuthz.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.extAuthz.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.extAuthz.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.extAuthz.(any)policies.health.eviction.duration | |
policies[].policy.extAuthz.(any)policies.health.healthThreshold | |
policies[].policy.extAuthz.(any)policies.health.healthOnUnevict | |
policies[].policy.extAuthz.(any)protocol | The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended. |
policies[].policy.extAuthz.(any)protocol.(1)grpc | |
policies[].policy.extAuthz.(any)protocol.(1)grpc.context | Additional context to send to the authorization service. This maps to the context_extensions field of the request, and only allows static values. |
policies[].policy.extAuthz.(any)protocol.(1)grpc.metadata | Additional metadata to send to the authorization service. This maps to the metadata_context.filter_metadata field of the request, and allows dynamic CEL expressions.If unset, by default the envoy.filters.http.jwt_authn key is set if the JWT policy is used as well, for compatibility. |
policies[].policy.extAuthz.(any)protocol.(1)http | |
policies[].policy.extAuthz.(any)protocol.(1)http.path | |
policies[].policy.extAuthz.(any)protocol.(1)http.redirect | When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error. |
policies[].policy.extAuthz.(any)protocol.(1)http.includeResponseHeaders | Specific headers from the authorization response will be copied into the request to the backend. |
policies[].policy.extAuthz.(any)protocol.(1)http.addRequestHeaders | Specific headers to add in the authorization request (empty = all headers), based on the expression |
policies[].policy.extAuthz.(any)protocol.(1)http.metadata | Metadata to include under the extauthz variable, based on the authorization response. |
policies[].policy.extAuthz.(any)failureMode | Behavior when the authorization service is unavailable or returns an error |
policies[].policy.extAuthz.(any)failureMode.(1)denyWithStatus | |
policies[].policy.extAuthz.(any)includeRequestHeaders | Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’. |
policies[].policy.extAuthz.(any)includeRequestBody | Options for including the request body in the authorization request |
policies[].policy.extAuthz.(any)includeRequestBody.maxRequestBytes | Maximum size of request body to buffer (default: 8192) |
policies[].policy.extAuthz.(any)includeRequestBody.allowPartialMessage | If true, send partial body when max_request_bytes is reached |
policies[].policy.extAuthz.(any)includeRequestBody.packAsBytes | If true, pack body as raw bytes in gRPC |
policies[].policy.extProc | Extend agentgateway with an external processor |
policies[].policy.extProc.(any)(1)service | |
policies[].policy.extProc.(any)(1)service.name | |
policies[].policy.extProc.(any)(1)service.name.namespace | |
policies[].policy.extProc.(any)(1)service.name.hostname | |
policies[].policy.extProc.(any)(1)service.port | |
policies[].policy.extProc.(any)(1)host | Hostname or IP address |
policies[].policy.extProc.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
policies[].policy.extProc.(any)policies | Policies to connect to the backend |
policies[].policy.extProc.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
policies[].policy.extProc.(any)policies.requestHeaderModifier.add | |
policies[].policy.extProc.(any)policies.requestHeaderModifier.set | |
policies[].policy.extProc.(any)policies.requestHeaderModifier.remove | |
policies[].policy.extProc.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
policies[].policy.extProc.(any)policies.responseHeaderModifier.add | |
policies[].policy.extProc.(any)policies.responseHeaderModifier.set | |
policies[].policy.extProc.(any)policies.responseHeaderModifier.remove | |
policies[].policy.extProc.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
policies[].policy.extProc.(any)policies.requestRedirect.scheme | |
policies[].policy.extProc.(any)policies.requestRedirect.authority | |
policies[].policy.extProc.(any)policies.requestRedirect.authority.(any)(1)full | |
policies[].policy.extProc.(any)policies.requestRedirect.authority.(any)(1)host | |
policies[].policy.extProc.(any)policies.requestRedirect.authority.(any)(1)port | |
policies[].policy.extProc.(any)policies.requestRedirect.path | |
policies[].policy.extProc.(any)policies.requestRedirect.path.(any)(1)full | |
policies[].policy.extProc.(any)policies.requestRedirect.path.(any)(1)prefix | |
policies[].policy.extProc.(any)policies.requestRedirect.status | |
policies[].policy.extProc.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
policies[].policy.extProc.(any)policies.transformations.request | |
policies[].policy.extProc.(any)policies.transformations.request.add | |
policies[].policy.extProc.(any)policies.transformations.request.set | |
policies[].policy.extProc.(any)policies.transformations.request.remove | |
policies[].policy.extProc.(any)policies.transformations.request.body | |
policies[].policy.extProc.(any)policies.transformations.request.metadata | |
policies[].policy.extProc.(any)policies.transformations.response | |
policies[].policy.extProc.(any)policies.transformations.response.add | |
policies[].policy.extProc.(any)policies.transformations.response.set | |
policies[].policy.extProc.(any)policies.transformations.response.remove | |
policies[].policy.extProc.(any)policies.transformations.response.body | |
policies[].policy.extProc.(any)policies.transformations.response.metadata | |
policies[].policy.extProc.(any)policies.backendTLS | Send TLS to the backend. |
policies[].policy.extProc.(any)policies.backendTLS.cert | |
policies[].policy.extProc.(any)policies.backendTLS.key | |
policies[].policy.extProc.(any)policies.backendTLS.root | |
policies[].policy.extProc.(any)policies.backendTLS.hostname | |
policies[].policy.extProc.(any)policies.backendTLS.insecure | |
policies[].policy.extProc.(any)policies.backendTLS.insecureHost | |
policies[].policy.extProc.(any)policies.backendTLS.alpn | |
policies[].policy.extProc.(any)policies.backendTLS.subjectAltNames | |
policies[].policy.extProc.(any)policies.backendAuth | Authenticate to the backend. |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)passthrough | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)key | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)key.(any)file | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
policies[].policy.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
policies[].policy.extProc.(any)policies.http | Specify HTTP settings for the backend |
policies[].policy.extProc.(any)policies.http.version | |
policies[].policy.extProc.(any)policies.http.requestTimeout | |
policies[].policy.extProc.(any)policies.tcp | Specify TCP settings for the backend |
policies[].policy.extProc.(any)policies.tcp.keepalives | |
policies[].policy.extProc.(any)policies.tcp.keepalives.enabled | |
policies[].policy.extProc.(any)policies.tcp.keepalives.time | |
policies[].policy.extProc.(any)policies.tcp.keepalives.interval | |
policies[].policy.extProc.(any)policies.tcp.keepalives.retries | |
policies[].policy.extProc.(any)policies.tcp.connectTimeout | |
policies[].policy.extProc.(any)policies.tcp.connectTimeout.secs | |
policies[].policy.extProc.(any)policies.tcp.connectTimeout.nanos | |
policies[].policy.extProc.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
policies[].policy.extProc.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
policies[].policy.extProc.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
policies[].policy.extProc.(any)policies.health.eviction.duration | |
policies[].policy.extProc.(any)policies.health.healthThreshold | |
policies[].policy.extProc.(any)policies.health.healthOnUnevict | |
policies[].policy.extProc.(any)failureMode | Behavior when the ext_proc service is unavailable or returns an error |
policies[].policy.extProc.(any)metadataContext | Additional metadata to send to the external processing service. Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions. |
policies[].policy.extProc.(any)requestAttributes | Maps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
policies[].policy.extProc.(any)responseAttributes | Maps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
policies[].policy.transformations | Modify requests and responses |
policies[].policy.transformations.request | |
policies[].policy.transformations.request.add | |
policies[].policy.transformations.request.set | |
policies[].policy.transformations.request.remove | |
policies[].policy.transformations.request.body | |
policies[].policy.transformations.request.metadata | |
policies[].policy.transformations.response | |
policies[].policy.transformations.response.add | |
policies[].policy.transformations.response.set | |
policies[].policy.transformations.response.remove | |
policies[].policy.transformations.response.body | |
policies[].policy.transformations.response.metadata | |
policies[].policy.csrf | Handle CSRF protection by validating request origins against configured allowed origins. |
policies[].policy.csrf.additionalOrigins | |
policies[].policy.timeout | Timeout requests that exceed the configured duration. |
policies[].policy.timeout.requestTimeout | |
policies[].policy.timeout.backendRequestTimeout | |
policies[].policy.retry | Retry matching requests. |
policies[].policy.retry.attempts | |
policies[].policy.retry.backoff | |
policies[].policy.retry.codes | |
workloads | |
services | |
backends | |
backends[].name | |
backends[].host | |
backends[].policies | |
backends[].policies.requestHeaderModifier | Headers to be modified in the request. |
backends[].policies.requestHeaderModifier.add | |
backends[].policies.requestHeaderModifier.set | |
backends[].policies.requestHeaderModifier.remove | |
backends[].policies.responseHeaderModifier | Headers to be modified in the response. |
backends[].policies.responseHeaderModifier.add | |
backends[].policies.responseHeaderModifier.set | |
backends[].policies.responseHeaderModifier.remove | |
backends[].policies.requestRedirect | Directly respond to the request with a redirect. |
backends[].policies.requestRedirect.scheme | |
backends[].policies.requestRedirect.authority | |
backends[].policies.requestRedirect.authority.(any)(1)full | |
backends[].policies.requestRedirect.authority.(any)(1)host | |
backends[].policies.requestRedirect.authority.(any)(1)port | |
backends[].policies.requestRedirect.path | |
backends[].policies.requestRedirect.path.(any)(1)full | |
backends[].policies.requestRedirect.path.(any)(1)prefix | |
backends[].policies.requestRedirect.status | |
backends[].policies.transformations | Modify requests and responses sent to and from the backend. |
backends[].policies.transformations.request | |
backends[].policies.transformations.request.add | |
backends[].policies.transformations.request.set | |
backends[].policies.transformations.request.remove | |
backends[].policies.transformations.request.body | |
backends[].policies.transformations.request.metadata | |
backends[].policies.transformations.response | |
backends[].policies.transformations.response.add | |
backends[].policies.transformations.response.set | |
backends[].policies.transformations.response.remove | |
backends[].policies.transformations.response.body | |
backends[].policies.transformations.response.metadata | |
backends[].policies.backendTLS | Send TLS to the backend. |
backends[].policies.backendTLS.cert | |
backends[].policies.backendTLS.key | |
backends[].policies.backendTLS.root | |
backends[].policies.backendTLS.hostname | |
backends[].policies.backendTLS.insecure | |
backends[].policies.backendTLS.insecureHost | |
backends[].policies.backendTLS.alpn | |
backends[].policies.backendTLS.subjectAltNames | |
backends[].policies.backendAuth | Authenticate to the backend. |
backends[].policies.backendAuth.(any)(1)passthrough | |
backends[].policies.backendAuth.(any)(1)key | |
backends[].policies.backendAuth.(any)(1)key.(any)file | |
backends[].policies.backendAuth.(any)(1)gcp | |
backends[].policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
backends[].policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.backendAuth.(any)(1)aws | |
backends[].policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
backends[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
backends[].policies.backendAuth.(any)(1)aws.(any)region | |
backends[].policies.backendAuth.(any)(1)aws.(any)sessionToken | |
backends[].policies.backendAuth.(any)(1)azure | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
backends[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
backends[].policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
backends[].policies.http | Specify HTTP settings for the backend |
backends[].policies.http.version | |
backends[].policies.http.requestTimeout | |
backends[].policies.tcp | Specify TCP settings for the backend |
backends[].policies.tcp.keepalives | |
backends[].policies.tcp.keepalives.enabled | |
backends[].policies.tcp.keepalives.time | |
backends[].policies.tcp.keepalives.interval | |
backends[].policies.tcp.keepalives.retries | |
backends[].policies.tcp.connectTimeout | |
backends[].policies.tcp.connectTimeout.secs | |
backends[].policies.tcp.connectTimeout.nanos | |
backends[].policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
backends[].policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
backends[].policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
backends[].policies.health.eviction.duration | |
backends[].policies.health.healthThreshold | |
backends[].policies.health.healthOnUnevict | |
backends[].policies.mcpAuthorization | Authorization policies for MCP access. |
backends[].policies.mcpAuthorization.rules | |
backends[].policies.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
backends[].policies.ai | Mark this as LLM traffic to enable LLM processing. |
backends[].policies.ai.promptGuard | |
backends[].policies.ai.promptGuard.request | |
backends[].policies.ai.promptGuard.request[].(1)regex | |
backends[].policies.ai.promptGuard.request[].(1)regex.action | |
backends[].policies.ai.promptGuard.request[].(1)regex.rules | |
backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
backends[].policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
backends[].policies.ai.promptGuard.request[].(1)webhook | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
backends[].policies.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
backends[].policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
backends[].policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
backends[].policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
backends[].policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
backends[].policies.ai.promptGuard.request[].rejection | |
backends[].policies.ai.promptGuard.request[].rejection.body | |
backends[].policies.ai.promptGuard.request[].rejection.status | |
backends[].policies.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
backends[].policies.ai.promptGuard.request[].rejection.headers.add | |
backends[].policies.ai.promptGuard.request[].rejection.headers.set | |
backends[].policies.ai.promptGuard.request[].rejection.headers.remove | |
backends[].policies.ai.promptGuard.response | |
backends[].policies.ai.promptGuard.response[].(1)regex | |
backends[].policies.ai.promptGuard.response[].(1)regex.action | |
backends[].policies.ai.promptGuard.response[].(1)regex.rules | |
backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
backends[].policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
backends[].policies.ai.promptGuard.response[].(1)webhook | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
backends[].policies.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
backends[].policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
backends[].policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
backends[].policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
backends[].policies.ai.promptGuard.response[].rejection | |
backends[].policies.ai.promptGuard.response[].rejection.body | |
backends[].policies.ai.promptGuard.response[].rejection.status | |
backends[].policies.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
backends[].policies.ai.promptGuard.response[].rejection.headers.add | |
backends[].policies.ai.promptGuard.response[].rejection.headers.set | |
backends[].policies.ai.promptGuard.response[].rejection.headers.remove | |
backends[].policies.ai.defaults | |
backends[].policies.ai.overrides | |
backends[].policies.ai.transformations | |
backends[].policies.ai.prompts | |
backends[].policies.ai.prompts.append | |
backends[].policies.ai.prompts.append[].role | |
backends[].policies.ai.prompts.append[].content | |
backends[].policies.ai.prompts.prepend | |
backends[].policies.ai.prompts.prepend[].role | |
backends[].policies.ai.prompts.prepend[].content | |
backends[].policies.ai.modelAliases | |
backends[].policies.ai.promptCaching | |
backends[].policies.ai.promptCaching.cacheSystem | |
backends[].policies.ai.promptCaching.cacheMessages | |
backends[].policies.ai.promptCaching.cacheTools | |
backends[].policies.ai.promptCaching.minTokens | |
backends[].policies.ai.routes | |
llm | |
llm.port | |
llm.models | models defines the set of models that can be served by this gateway. The model name refers to the model in the users request that is matched; the model sent to the actual LLM can be overridden on a per-model basis. |
llm.models[].name | name is the name of the model we are matching from a users request. If params.model is set, that will be used in the request to the LLM provider. If not, the incoming model is used. |
llm.models[].params | params customizes parameters for the outgoing request |
llm.models[].params.model | The model to send to the provider. If unset, the same model will be used from the request. |
llm.models[].params.apiKey | An API key to attach to the request. If unset this will be automatically detected from the environment. |
llm.models[].params.awsRegion | |
llm.models[].params.vertexRegion | |
llm.models[].params.vertexProject | |
llm.models[].params.azureHost | For Azure: the host of the deployment |
llm.models[].params.azureApiVersion | For Azure: the API version to use |
llm.models[].provider | provider of the LLM we are connecting too |
llm.models[].defaults | defaults allows setting default values for the request. If these are not present in the request body, they will be set. To override even when set, use overrides. |
llm.models[].overrides | overrides allows setting values for the request, overriding any existing values |
llm.models[].transformation | transformation allows setting values from CEL expressions for the request, overriding any existing values. |
llm.models[].requestHeaders | requestHeaders modifies headers in requests to the LLM provider. |
llm.models[].requestHeaders.add | |
llm.models[].requestHeaders.set | |
llm.models[].requestHeaders.remove | |
llm.models[].guardrails | guardrails to apply to the request or response |
llm.models[].guardrails.request | |
llm.models[].guardrails.request[].(1)regex | |
llm.models[].guardrails.request[].(1)regex.action | |
llm.models[].guardrails.request[].(1)regex.rules | |
llm.models[].guardrails.request[].(1)regex.rules[].(any)builtin | |
llm.models[].guardrails.request[].(1)regex.rules[].(any)pattern | |
llm.models[].guardrails.request[].(1)webhook | |
llm.models[].guardrails.request[].(1)webhook.target | |
llm.models[].guardrails.request[].(1)webhook.target.(1)service | |
llm.models[].guardrails.request[].(1)webhook.target.(1)service.name | |
llm.models[].guardrails.request[].(1)webhook.target.(1)service.name.namespace | |
llm.models[].guardrails.request[].(1)webhook.target.(1)service.name.hostname | |
llm.models[].guardrails.request[].(1)webhook.target.(1)service.port | |
llm.models[].guardrails.request[].(1)webhook.target.(1)host | Hostname or IP address |
llm.models[].guardrails.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches | |
llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].name | |
llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].value | |
llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
llm.models[].guardrails.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
llm.models[].guardrails.request[].(1)openAIModeration | |
llm.models[].guardrails.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
llm.models[].guardrails.request[].(1)openAIModeration.policies | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.path | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.requestRedirect.status | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.add | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.set | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.remove | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.body | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.request.metadata | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.add | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.set | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.remove | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.body | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.transformations.response.metadata | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.cert | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.key | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.root | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.hostname | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.insecure | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.alpn | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
llm.models[].guardrails.request[].(1)openAIModeration.policies.http.version | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.http.requestTimeout | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.models[].guardrails.request[].(1)openAIModeration.policies.health.eviction.duration | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.health.healthThreshold | |
llm.models[].guardrails.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
llm.models[].guardrails.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
llm.models[].guardrails.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
llm.models[].guardrails.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.http.version | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
llm.models[].guardrails.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
llm.models[].guardrails.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
llm.models[].guardrails.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
llm.models[].guardrails.request[].(1)googleModelArmor.projectId | The GCP project ID |
llm.models[].guardrails.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
llm.models[].guardrails.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.path | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.requestRedirect.status | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.add | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.set | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.remove | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.body | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.add | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.set | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.remove | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.body | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.cert | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.key | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.root | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.http.version | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.http.requestTimeout | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.health.eviction.duration | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.health.healthThreshold | |
llm.models[].guardrails.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
llm.models[].guardrails.request[].rejection | |
llm.models[].guardrails.request[].rejection.body | |
llm.models[].guardrails.request[].rejection.status | |
llm.models[].guardrails.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
llm.models[].guardrails.request[].rejection.headers.add | |
llm.models[].guardrails.request[].rejection.headers.set | |
llm.models[].guardrails.request[].rejection.headers.remove | |
llm.models[].guardrails.response | |
llm.models[].guardrails.response[].(1)regex | |
llm.models[].guardrails.response[].(1)regex.action | |
llm.models[].guardrails.response[].(1)regex.rules | |
llm.models[].guardrails.response[].(1)regex.rules[].(any)builtin | |
llm.models[].guardrails.response[].(1)regex.rules[].(any)pattern | |
llm.models[].guardrails.response[].(1)webhook | |
llm.models[].guardrails.response[].(1)webhook.target | |
llm.models[].guardrails.response[].(1)webhook.target.(1)service | |
llm.models[].guardrails.response[].(1)webhook.target.(1)service.name | |
llm.models[].guardrails.response[].(1)webhook.target.(1)service.name.namespace | |
llm.models[].guardrails.response[].(1)webhook.target.(1)service.name.hostname | |
llm.models[].guardrails.response[].(1)webhook.target.(1)service.port | |
llm.models[].guardrails.response[].(1)webhook.target.(1)host | Hostname or IP address |
llm.models[].guardrails.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches | |
llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].name | |
llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].value | |
llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
llm.models[].guardrails.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
llm.models[].guardrails.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
llm.models[].guardrails.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
llm.models[].guardrails.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.http.version | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
llm.models[].guardrails.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
llm.models[].guardrails.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
llm.models[].guardrails.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
llm.models[].guardrails.response[].(1)googleModelArmor.projectId | The GCP project ID |
llm.models[].guardrails.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
llm.models[].guardrails.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.path | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.requestRedirect.status | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.add | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.set | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.remove | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.body | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.add | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.set | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.remove | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.body | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.cert | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.key | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.root | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.http.version | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.http.requestTimeout | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.health.eviction.duration | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.health.healthThreshold | |
llm.models[].guardrails.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
llm.models[].guardrails.response[].rejection | |
llm.models[].guardrails.response[].rejection.body | |
llm.models[].guardrails.response[].rejection.status | |
llm.models[].guardrails.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
llm.models[].guardrails.response[].rejection.headers.add | |
llm.models[].guardrails.response[].rejection.headers.set | |
llm.models[].guardrails.response[].rejection.headers.remove | |
llm.models[].matches | matches specifies the conditions under which this model should be used in addition to matching the model name. |
llm.models[].matches[].headers | |
llm.models[].matches[].headers[].name | |
llm.models[].matches[].headers[].value | |
llm.models[].matches[].headers[].value.(1)exact | |
llm.models[].matches[].headers[].value.(1)regex | |
llm.policies | policies defines policies for handling incoming requests, before a model is selected |
llm.policies.jwtAuth | Authenticate incoming JWT requests. |
llm.policies.jwtAuth.(any)(any)mode | |
llm.policies.jwtAuth.(any)(any)providers | |
llm.policies.jwtAuth.(any)(any)providers[].issuer | |
llm.policies.jwtAuth.(any)(any)providers[].audiences | |
llm.policies.jwtAuth.(any)(any)providers[].jwks | |
llm.policies.jwtAuth.(any)(any)providers[].jwks.(any)file | |
llm.policies.jwtAuth.(any)(any)providers[].jwks.(any)url | |
llm.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
llm.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
llm.policies.jwtAuth.(any)(any)mode | |
llm.policies.jwtAuth.(any)(any)issuer | |
llm.policies.jwtAuth.(any)(any)audiences | |
llm.policies.jwtAuth.(any)(any)jwks | |
llm.policies.jwtAuth.(any)(any)jwks.(any)file | |
llm.policies.jwtAuth.(any)(any)jwks.(any)url | |
llm.policies.jwtAuth.(any)(any)jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
llm.policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
llm.policies.extAuthz | Authenticate incoming requests by calling an external authorization server. |
llm.policies.extAuthz.(any)(1)service | |
llm.policies.extAuthz.(any)(1)service.name | |
llm.policies.extAuthz.(any)(1)service.name.namespace | |
llm.policies.extAuthz.(any)(1)service.name.hostname | |
llm.policies.extAuthz.(any)(1)service.port | |
llm.policies.extAuthz.(any)(1)host | Hostname or IP address |
llm.policies.extAuthz.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
llm.policies.extAuthz.(any)policies | Policies to connect to the backend |
llm.policies.extAuthz.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
llm.policies.extAuthz.(any)policies.requestHeaderModifier.add | |
llm.policies.extAuthz.(any)policies.requestHeaderModifier.set | |
llm.policies.extAuthz.(any)policies.requestHeaderModifier.remove | |
llm.policies.extAuthz.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
llm.policies.extAuthz.(any)policies.responseHeaderModifier.add | |
llm.policies.extAuthz.(any)policies.responseHeaderModifier.set | |
llm.policies.extAuthz.(any)policies.responseHeaderModifier.remove | |
llm.policies.extAuthz.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
llm.policies.extAuthz.(any)policies.requestRedirect.scheme | |
llm.policies.extAuthz.(any)policies.requestRedirect.authority | |
llm.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full | |
llm.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host | |
llm.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port | |
llm.policies.extAuthz.(any)policies.requestRedirect.path | |
llm.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full | |
llm.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix | |
llm.policies.extAuthz.(any)policies.requestRedirect.status | |
llm.policies.extAuthz.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
llm.policies.extAuthz.(any)policies.transformations.request | |
llm.policies.extAuthz.(any)policies.transformations.request.add | |
llm.policies.extAuthz.(any)policies.transformations.request.set | |
llm.policies.extAuthz.(any)policies.transformations.request.remove | |
llm.policies.extAuthz.(any)policies.transformations.request.body | |
llm.policies.extAuthz.(any)policies.transformations.request.metadata | |
llm.policies.extAuthz.(any)policies.transformations.response | |
llm.policies.extAuthz.(any)policies.transformations.response.add | |
llm.policies.extAuthz.(any)policies.transformations.response.set | |
llm.policies.extAuthz.(any)policies.transformations.response.remove | |
llm.policies.extAuthz.(any)policies.transformations.response.body | |
llm.policies.extAuthz.(any)policies.transformations.response.metadata | |
llm.policies.extAuthz.(any)policies.backendTLS | Send TLS to the backend. |
llm.policies.extAuthz.(any)policies.backendTLS.cert | |
llm.policies.extAuthz.(any)policies.backendTLS.key | |
llm.policies.extAuthz.(any)policies.backendTLS.root | |
llm.policies.extAuthz.(any)policies.backendTLS.hostname | |
llm.policies.extAuthz.(any)policies.backendTLS.insecure | |
llm.policies.extAuthz.(any)policies.backendTLS.insecureHost | |
llm.policies.extAuthz.(any)policies.backendTLS.alpn | |
llm.policies.extAuthz.(any)policies.backendTLS.subjectAltNames | |
llm.policies.extAuthz.(any)policies.backendAuth | Authenticate to the backend. |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)key | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.policies.extAuthz.(any)policies.http | Specify HTTP settings for the backend |
llm.policies.extAuthz.(any)policies.http.version | |
llm.policies.extAuthz.(any)policies.http.requestTimeout | |
llm.policies.extAuthz.(any)policies.tcp | Specify TCP settings for the backend |
llm.policies.extAuthz.(any)policies.tcp.keepalives | |
llm.policies.extAuthz.(any)policies.tcp.keepalives.enabled | |
llm.policies.extAuthz.(any)policies.tcp.keepalives.time | |
llm.policies.extAuthz.(any)policies.tcp.keepalives.interval | |
llm.policies.extAuthz.(any)policies.tcp.keepalives.retries | |
llm.policies.extAuthz.(any)policies.tcp.connectTimeout | |
llm.policies.extAuthz.(any)policies.tcp.connectTimeout.secs | |
llm.policies.extAuthz.(any)policies.tcp.connectTimeout.nanos | |
llm.policies.extAuthz.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.policies.extAuthz.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.policies.extAuthz.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.policies.extAuthz.(any)policies.health.eviction.duration | |
llm.policies.extAuthz.(any)policies.health.healthThreshold | |
llm.policies.extAuthz.(any)policies.health.healthOnUnevict | |
llm.policies.extAuthz.(any)protocol | The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended. |
llm.policies.extAuthz.(any)protocol.(1)grpc | |
llm.policies.extAuthz.(any)protocol.(1)grpc.context | Additional context to send to the authorization service. This maps to the context_extensions field of the request, and only allows static values. |
llm.policies.extAuthz.(any)protocol.(1)grpc.metadata | Additional metadata to send to the authorization service. This maps to the metadata_context.filter_metadata field of the request, and allows dynamic CEL expressions.If unset, by default the envoy.filters.http.jwt_authn key is set if the JWT policy is used as well, for compatibility. |
llm.policies.extAuthz.(any)protocol.(1)http | |
llm.policies.extAuthz.(any)protocol.(1)http.path | |
llm.policies.extAuthz.(any)protocol.(1)http.redirect | When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error. |
llm.policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders | Specific headers from the authorization response will be copied into the request to the backend. |
llm.policies.extAuthz.(any)protocol.(1)http.addRequestHeaders | Specific headers to add in the authorization request (empty = all headers), based on the expression |
llm.policies.extAuthz.(any)protocol.(1)http.metadata | Metadata to include under the extauthz variable, based on the authorization response. |
llm.policies.extAuthz.(any)failureMode | Behavior when the authorization service is unavailable or returns an error |
llm.policies.extAuthz.(any)failureMode.(1)denyWithStatus | |
llm.policies.extAuthz.(any)includeRequestHeaders | Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’. |
llm.policies.extAuthz.(any)includeRequestBody | Options for including the request body in the authorization request |
llm.policies.extAuthz.(any)includeRequestBody.maxRequestBytes | Maximum size of request body to buffer (default: 8192) |
llm.policies.extAuthz.(any)includeRequestBody.allowPartialMessage | If true, send partial body when max_request_bytes is reached |
llm.policies.extAuthz.(any)includeRequestBody.packAsBytes | If true, pack body as raw bytes in gRPC |
llm.policies.extProc | Extend agentgateway with an external processor |
llm.policies.extProc.(any)(1)service | |
llm.policies.extProc.(any)(1)service.name | |
llm.policies.extProc.(any)(1)service.name.namespace | |
llm.policies.extProc.(any)(1)service.name.hostname | |
llm.policies.extProc.(any)(1)service.port | |
llm.policies.extProc.(any)(1)host | Hostname or IP address |
llm.policies.extProc.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
llm.policies.extProc.(any)policies | Policies to connect to the backend |
llm.policies.extProc.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
llm.policies.extProc.(any)policies.requestHeaderModifier.add | |
llm.policies.extProc.(any)policies.requestHeaderModifier.set | |
llm.policies.extProc.(any)policies.requestHeaderModifier.remove | |
llm.policies.extProc.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
llm.policies.extProc.(any)policies.responseHeaderModifier.add | |
llm.policies.extProc.(any)policies.responseHeaderModifier.set | |
llm.policies.extProc.(any)policies.responseHeaderModifier.remove | |
llm.policies.extProc.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
llm.policies.extProc.(any)policies.requestRedirect.scheme | |
llm.policies.extProc.(any)policies.requestRedirect.authority | |
llm.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full | |
llm.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host | |
llm.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port | |
llm.policies.extProc.(any)policies.requestRedirect.path | |
llm.policies.extProc.(any)policies.requestRedirect.path.(any)(1)full | |
llm.policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix | |
llm.policies.extProc.(any)policies.requestRedirect.status | |
llm.policies.extProc.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
llm.policies.extProc.(any)policies.transformations.request | |
llm.policies.extProc.(any)policies.transformations.request.add | |
llm.policies.extProc.(any)policies.transformations.request.set | |
llm.policies.extProc.(any)policies.transformations.request.remove | |
llm.policies.extProc.(any)policies.transformations.request.body | |
llm.policies.extProc.(any)policies.transformations.request.metadata | |
llm.policies.extProc.(any)policies.transformations.response | |
llm.policies.extProc.(any)policies.transformations.response.add | |
llm.policies.extProc.(any)policies.transformations.response.set | |
llm.policies.extProc.(any)policies.transformations.response.remove | |
llm.policies.extProc.(any)policies.transformations.response.body | |
llm.policies.extProc.(any)policies.transformations.response.metadata | |
llm.policies.extProc.(any)policies.backendTLS | Send TLS to the backend. |
llm.policies.extProc.(any)policies.backendTLS.cert | |
llm.policies.extProc.(any)policies.backendTLS.key | |
llm.policies.extProc.(any)policies.backendTLS.root | |
llm.policies.extProc.(any)policies.backendTLS.hostname | |
llm.policies.extProc.(any)policies.backendTLS.insecure | |
llm.policies.extProc.(any)policies.backendTLS.insecureHost | |
llm.policies.extProc.(any)policies.backendTLS.alpn | |
llm.policies.extProc.(any)policies.backendTLS.subjectAltNames | |
llm.policies.extProc.(any)policies.backendAuth | Authenticate to the backend. |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)passthrough | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)key | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
llm.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
llm.policies.extProc.(any)policies.http | Specify HTTP settings for the backend |
llm.policies.extProc.(any)policies.http.version | |
llm.policies.extProc.(any)policies.http.requestTimeout | |
llm.policies.extProc.(any)policies.tcp | Specify TCP settings for the backend |
llm.policies.extProc.(any)policies.tcp.keepalives | |
llm.policies.extProc.(any)policies.tcp.keepalives.enabled | |
llm.policies.extProc.(any)policies.tcp.keepalives.time | |
llm.policies.extProc.(any)policies.tcp.keepalives.interval | |
llm.policies.extProc.(any)policies.tcp.keepalives.retries | |
llm.policies.extProc.(any)policies.tcp.connectTimeout | |
llm.policies.extProc.(any)policies.tcp.connectTimeout.secs | |
llm.policies.extProc.(any)policies.tcp.connectTimeout.nanos | |
llm.policies.extProc.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
llm.policies.extProc.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
llm.policies.extProc.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
llm.policies.extProc.(any)policies.health.eviction.duration | |
llm.policies.extProc.(any)policies.health.healthThreshold | |
llm.policies.extProc.(any)policies.health.healthOnUnevict | |
llm.policies.extProc.(any)failureMode | Behavior when the ext_proc service is unavailable or returns an error |
llm.policies.extProc.(any)metadataContext | Additional metadata to send to the external processing service. Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions. |
llm.policies.extProc.(any)requestAttributes | Maps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
llm.policies.extProc.(any)responseAttributes | Maps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
llm.policies.transformations | Modify requests and responses |
llm.policies.transformations.request | |
llm.policies.transformations.request.add | |
llm.policies.transformations.request.set | |
llm.policies.transformations.request.remove | |
llm.policies.transformations.request.body | |
llm.policies.transformations.request.metadata | |
llm.policies.transformations.response | |
llm.policies.transformations.response.add | |
llm.policies.transformations.response.set | |
llm.policies.transformations.response.remove | |
llm.policies.transformations.response.body | |
llm.policies.transformations.response.metadata | |
llm.policies.basicAuth | Authenticate incoming requests using Basic Authentication with htpasswd. |
llm.policies.basicAuth.htpasswd | .htpasswd file contents/reference |
llm.policies.basicAuth.htpasswd.(any)file | |
llm.policies.basicAuth.realm | Realm name for the WWW-Authenticate header |
llm.policies.basicAuth.mode | Validation mode for basic authentication |
llm.policies.apiKey | Authenticate incoming requests using API Keys |
llm.policies.apiKey.keys | List of API keys |
llm.policies.apiKey.keys[].key | |
llm.policies.apiKey.keys[].metadata | |
llm.policies.apiKey.mode | Validation mode for API keys |
llm.policies.authorization | Authorization policies for HTTP access. |
llm.policies.authorization.rules | |
mcp | |
mcp.port | |
mcp.targets | |
mcp.targets[].(1)sse | |
mcp.targets[].(1)sse.host | |
mcp.targets[].(1)sse.port | |
mcp.targets[].(1)sse.path | |
mcp.targets[].(1)mcp | |
mcp.targets[].(1)mcp.host | |
mcp.targets[].(1)mcp.port | |
mcp.targets[].(1)mcp.path | |
mcp.targets[].(1)stdio | |
mcp.targets[].(1)stdio.cmd | |
mcp.targets[].(1)stdio.args | |
mcp.targets[].(1)stdio.env | |
mcp.targets[].(1)openapi | |
mcp.targets[].(1)openapi.host | |
mcp.targets[].(1)openapi.port | |
mcp.targets[].(1)openapi.path | |
mcp.targets[].(1)openapi.schema | |
mcp.targets[].(1)openapi.schema.(any)file | |
mcp.targets[].(1)openapi.schema.(any)url | |
mcp.targets[].name | |
mcp.targets[].policies | |
mcp.targets[].policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.targets[].policies.requestHeaderModifier.add | |
mcp.targets[].policies.requestHeaderModifier.set | |
mcp.targets[].policies.requestHeaderModifier.remove | |
mcp.targets[].policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.targets[].policies.responseHeaderModifier.add | |
mcp.targets[].policies.responseHeaderModifier.set | |
mcp.targets[].policies.responseHeaderModifier.remove | |
mcp.targets[].policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.targets[].policies.requestRedirect.scheme | |
mcp.targets[].policies.requestRedirect.authority | |
mcp.targets[].policies.requestRedirect.authority.(any)(1)full | |
mcp.targets[].policies.requestRedirect.authority.(any)(1)host | |
mcp.targets[].policies.requestRedirect.authority.(any)(1)port | |
mcp.targets[].policies.requestRedirect.path | |
mcp.targets[].policies.requestRedirect.path.(any)(1)full | |
mcp.targets[].policies.requestRedirect.path.(any)(1)prefix | |
mcp.targets[].policies.requestRedirect.status | |
mcp.targets[].policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.targets[].policies.transformations.request | |
mcp.targets[].policies.transformations.request.add | |
mcp.targets[].policies.transformations.request.set | |
mcp.targets[].policies.transformations.request.remove | |
mcp.targets[].policies.transformations.request.body | |
mcp.targets[].policies.transformations.request.metadata | |
mcp.targets[].policies.transformations.response | |
mcp.targets[].policies.transformations.response.add | |
mcp.targets[].policies.transformations.response.set | |
mcp.targets[].policies.transformations.response.remove | |
mcp.targets[].policies.transformations.response.body | |
mcp.targets[].policies.transformations.response.metadata | |
mcp.targets[].policies.backendTLS | Send TLS to the backend. |
mcp.targets[].policies.backendTLS.cert | |
mcp.targets[].policies.backendTLS.key | |
mcp.targets[].policies.backendTLS.root | |
mcp.targets[].policies.backendTLS.hostname | |
mcp.targets[].policies.backendTLS.insecure | |
mcp.targets[].policies.backendTLS.insecureHost | |
mcp.targets[].policies.backendTLS.alpn | |
mcp.targets[].policies.backendTLS.subjectAltNames | |
mcp.targets[].policies.backendAuth | Authenticate to the backend. |
mcp.targets[].policies.backendAuth.(any)(1)passthrough | |
mcp.targets[].policies.backendAuth.(any)(1)key | |
mcp.targets[].policies.backendAuth.(any)(1)key.(any)file | |
mcp.targets[].policies.backendAuth.(any)(1)gcp | |
mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.targets[].policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.targets[].policies.backendAuth.(any)(1)aws | |
mcp.targets[].policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.targets[].policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.targets[].policies.backendAuth.(any)(1)aws.(any)region | |
mcp.targets[].policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.targets[].policies.backendAuth.(any)(1)azure | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.targets[].policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.targets[].policies.http | Specify HTTP settings for the backend |
mcp.targets[].policies.http.version | |
mcp.targets[].policies.http.requestTimeout | |
mcp.targets[].policies.tcp | Specify TCP settings for the backend |
mcp.targets[].policies.tcp.keepalives | |
mcp.targets[].policies.tcp.keepalives.enabled | |
mcp.targets[].policies.tcp.keepalives.time | |
mcp.targets[].policies.tcp.keepalives.interval | |
mcp.targets[].policies.tcp.keepalives.retries | |
mcp.targets[].policies.tcp.connectTimeout | |
mcp.targets[].policies.tcp.connectTimeout.secs | |
mcp.targets[].policies.tcp.connectTimeout.nanos | |
mcp.targets[].policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.targets[].policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.targets[].policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.targets[].policies.health.eviction.duration | |
mcp.targets[].policies.health.healthThreshold | |
mcp.targets[].policies.health.healthOnUnevict | |
mcp.targets[].policies.mcpAuthorization | Authorization policies for MCP access. |
mcp.targets[].policies.mcpAuthorization.rules | |
mcp.statefulMode | |
mcp.prefixMode | |
mcp.policies | |
mcp.policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.requestHeaderModifier.add | |
mcp.policies.requestHeaderModifier.set | |
mcp.policies.requestHeaderModifier.remove | |
mcp.policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.responseHeaderModifier.add | |
mcp.policies.responseHeaderModifier.set | |
mcp.policies.responseHeaderModifier.remove | |
mcp.policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.requestRedirect.scheme | |
mcp.policies.requestRedirect.authority | |
mcp.policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.requestRedirect.path | |
mcp.policies.requestRedirect.path.(any)(1)full | |
mcp.policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.requestRedirect.status | |
mcp.policies.urlRewrite | Modify the URL path or authority. |
mcp.policies.urlRewrite.authority | |
mcp.policies.urlRewrite.authority.(any)(1)full | |
mcp.policies.urlRewrite.authority.(any)(1)host | |
mcp.policies.urlRewrite.authority.(any)(1)port | |
mcp.policies.urlRewrite.path | |
mcp.policies.urlRewrite.path.(any)(1)full | |
mcp.policies.urlRewrite.path.(any)(1)prefix | |
mcp.policies.requestMirror | Mirror incoming requests to another destination. |
mcp.policies.requestMirror.backend | |
mcp.policies.requestMirror.backend.(1)service | |
mcp.policies.requestMirror.backend.(1)service.name | |
mcp.policies.requestMirror.backend.(1)service.name.namespace | |
mcp.policies.requestMirror.backend.(1)service.name.hostname | |
mcp.policies.requestMirror.backend.(1)service.port | |
mcp.policies.requestMirror.backend.(1)host | Hostname or IP address |
mcp.policies.requestMirror.backend.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
mcp.policies.requestMirror.percentage | |
mcp.policies.directResponse | Directly respond to the request with a static response. |
mcp.policies.directResponse.body | |
mcp.policies.directResponse.status | |
mcp.policies.cors | Handle CORS preflight requests and append configured CORS headers to applicable requests. |
mcp.policies.cors.allowCredentials | |
mcp.policies.cors.allowHeaders | |
mcp.policies.cors.allowMethods | |
mcp.policies.cors.allowOrigins | |
mcp.policies.cors.exposeHeaders | |
mcp.policies.cors.maxAge | |
mcp.policies.mcpAuthorization | Authorization policies for MCP access. |
mcp.policies.mcpAuthorization.rules | |
mcp.policies.authorization | Authorization policies for HTTP access. |
mcp.policies.authorization.rules | |
mcp.policies.mcpAuthentication | Authentication for MCP clients. |
mcp.policies.mcpAuthentication.issuer | |
mcp.policies.mcpAuthentication.audiences | |
mcp.policies.mcpAuthentication.provider | |
mcp.policies.mcpAuthentication.provider.(any)(1)auth0 | |
mcp.policies.mcpAuthentication.provider.(any)(1)keycloak | |
mcp.policies.mcpAuthentication.resourceMetadata | |
mcp.policies.mcpAuthentication.jwks | |
mcp.policies.mcpAuthentication.jwks.(any)file | |
mcp.policies.mcpAuthentication.jwks.(any)url | |
mcp.policies.mcpAuthentication.mode | |
mcp.policies.mcpAuthentication.jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
mcp.policies.mcpAuthentication.jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
mcp.policies.a2a | Mark this traffic as A2A to enable A2A processing and telemetry. |
mcp.policies.ai | Mark this as LLM traffic to enable LLM processing. |
mcp.policies.ai.promptGuard | |
mcp.policies.ai.promptGuard.request | |
mcp.policies.ai.promptGuard.request[].(1)regex | |
mcp.policies.ai.promptGuard.request[].(1)regex.action | |
mcp.policies.ai.promptGuard.request[].(1)regex.rules | |
mcp.policies.ai.promptGuard.request[].(1)regex.rules[].(any)builtin | |
mcp.policies.ai.promptGuard.request[].(1)regex.rules[].(any)pattern | |
mcp.policies.ai.promptGuard.request[].(1)webhook | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.namespace | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.name.hostname | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)service.port | |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)host | Hostname or IP address |
mcp.policies.ai.promptGuard.request[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches | |
mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].name | |
mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value | |
mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
mcp.policies.ai.promptGuard.request[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.model | Model to use. Defaults to omni-moderation-latest |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.add | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.set | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestHeaderModifier.remove | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.add | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.set | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.responseHeaderModifier.remove | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.scheme | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)full | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.requestRedirect.status | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.add | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.set | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.remove | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.body | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.request.metadata | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.add | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.set | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.remove | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.body | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.transformations.response.metadata | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS | Send TLS to the backend. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.cert | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.key | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.root | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.hostname | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecure | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.insecureHost | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.alpn | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendTLS.subjectAltNames | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth | Authenticate to the backend. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)passthrough | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.http | Specify HTTP settings for the backend |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.version | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.http.requestTimeout | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp | Specify TCP settings for the backend |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.enabled | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.time | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.interval | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.keepalives.retries | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.secs | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.tcp.connectTimeout.nanos | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.eviction.duration | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthThreshold | |
mcp.policies.ai.promptGuard.request[].(1)openAIModeration.policies.health.healthOnUnevict | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.requestRedirect.status | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.add | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.set | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.remove | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.body | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.add | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.set | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.remove | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.body | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.cert | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.key | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.root | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.version | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.http.requestTimeout | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.eviction.duration | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthThreshold | |
mcp.policies.ai.promptGuard.request[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.projectId | The GCP project ID |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.scheme | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.requestRedirect.status | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.add | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.set | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.remove | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.body | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.request.metadata | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.add | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.set | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.remove | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.body | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.transformations.response.metadata | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.cert | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.key | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.root | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.hostname | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecure | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.alpn | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.version | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.http.requestTimeout | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.time | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.eviction.duration | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthThreshold | |
mcp.policies.ai.promptGuard.request[].(1)googleModelArmor.policies.health.healthOnUnevict | |
mcp.policies.ai.promptGuard.request[].rejection | |
mcp.policies.ai.promptGuard.request[].rejection.body | |
mcp.policies.ai.promptGuard.request[].rejection.status | |
mcp.policies.ai.promptGuard.request[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
mcp.policies.ai.promptGuard.request[].rejection.headers.add | |
mcp.policies.ai.promptGuard.request[].rejection.headers.set | |
mcp.policies.ai.promptGuard.request[].rejection.headers.remove | |
mcp.policies.ai.promptGuard.response | |
mcp.policies.ai.promptGuard.response[].(1)regex | |
mcp.policies.ai.promptGuard.response[].(1)regex.action | |
mcp.policies.ai.promptGuard.response[].(1)regex.rules | |
mcp.policies.ai.promptGuard.response[].(1)regex.rules[].(any)builtin | |
mcp.policies.ai.promptGuard.response[].(1)regex.rules[].(any)pattern | |
mcp.policies.ai.promptGuard.response[].(1)webhook | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.namespace | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.name.hostname | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)service.port | |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)host | Hostname or IP address |
mcp.policies.ai.promptGuard.response[].(1)webhook.target.(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches | |
mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].name | |
mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value | |
mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)exact | |
mcp.policies.ai.promptGuard.response[].(1)webhook.forwardHeaderMatches[].value.(1)regex | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails | Configuration for AWS Bedrock Guardrails integration. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailIdentifier | The unique identifier of the guardrail |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.guardrailVersion | The version of the guardrail |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.region | AWS region where the guardrail is deployed |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies | Backend policies for AWS authentication (optional, defaults to implicit AWS auth) |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.add | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.set | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestHeaderModifier.remove | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.add | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.set | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.responseHeaderModifier.remove | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.scheme | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)full | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.requestRedirect.status | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.add | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.set | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.remove | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.body | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.request.metadata | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.add | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.set | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.remove | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.body | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.transformations.response.metadata | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS | Send TLS to the backend. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.cert | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.key | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.root | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.hostname | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecure | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.insecureHost | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.alpn | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendTLS.subjectAltNames | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth | Authenticate to the backend. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)passthrough | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http | Specify HTTP settings for the backend |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.version | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.http.requestTimeout | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp | Specify TCP settings for the backend |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.enabled | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.time | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.interval | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.keepalives.retries | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.secs | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.tcp.connectTimeout.nanos | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.eviction.duration | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthThreshold | |
mcp.policies.ai.promptGuard.response[].(1)bedrockGuardrails.policies.health.healthOnUnevict | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor | Configuration for Google Cloud Model Armor integration. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.templateId | The template ID for the Model Armor configuration |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.projectId | The GCP project ID |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.location | The GCP region (default: us-central1) |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies | Backend policies for GCP authentication (optional, defaults to implicit GCP auth) |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.add | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.set | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestHeaderModifier.remove | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.add | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.set | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.responseHeaderModifier.remove | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.scheme | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)full | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.requestRedirect.status | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.add | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.set | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.remove | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.body | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.request.metadata | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.add | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.set | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.remove | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.body | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.transformations.response.metadata | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS | Send TLS to the backend. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.cert | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.key | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.root | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.hostname | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecure | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.insecureHost | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.alpn | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendTLS.subjectAltNames | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth | Authenticate to the backend. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)passthrough | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http | Specify HTTP settings for the backend |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.version | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.http.requestTimeout | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp | Specify TCP settings for the backend |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.enabled | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.time | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.interval | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.keepalives.retries | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.secs | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.tcp.connectTimeout.nanos | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.eviction.duration | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthThreshold | |
mcp.policies.ai.promptGuard.response[].(1)googleModelArmor.policies.health.healthOnUnevict | |
mcp.policies.ai.promptGuard.response[].rejection | |
mcp.policies.ai.promptGuard.response[].rejection.body | |
mcp.policies.ai.promptGuard.response[].rejection.status | |
mcp.policies.ai.promptGuard.response[].rejection.headers | Optional headers to add, set, or remove from the rejection response |
mcp.policies.ai.promptGuard.response[].rejection.headers.add | |
mcp.policies.ai.promptGuard.response[].rejection.headers.set | |
mcp.policies.ai.promptGuard.response[].rejection.headers.remove | |
mcp.policies.ai.defaults | |
mcp.policies.ai.overrides | |
mcp.policies.ai.transformations | |
mcp.policies.ai.prompts | |
mcp.policies.ai.prompts.append | |
mcp.policies.ai.prompts.append[].role | |
mcp.policies.ai.prompts.append[].content | |
mcp.policies.ai.prompts.prepend | |
mcp.policies.ai.prompts.prepend[].role | |
mcp.policies.ai.prompts.prepend[].content | |
mcp.policies.ai.modelAliases | |
mcp.policies.ai.promptCaching | |
mcp.policies.ai.promptCaching.cacheSystem | |
mcp.policies.ai.promptCaching.cacheMessages | |
mcp.policies.ai.promptCaching.cacheTools | |
mcp.policies.ai.promptCaching.minTokens | |
mcp.policies.ai.routes | |
mcp.policies.backendTLS | Send TLS to the backend. |
mcp.policies.backendTLS.cert | |
mcp.policies.backendTLS.key | |
mcp.policies.backendTLS.root | |
mcp.policies.backendTLS.hostname | |
mcp.policies.backendTLS.insecure | |
mcp.policies.backendTLS.insecureHost | |
mcp.policies.backendTLS.alpn | |
mcp.policies.backendTLS.subjectAltNames | |
mcp.policies.backendAuth | Authenticate to the backend. |
mcp.policies.backendAuth.(any)(1)passthrough | |
mcp.policies.backendAuth.(any)(1)key | |
mcp.policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.backendAuth.(any)(1)gcp | |
mcp.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.backendAuth.(any)(1)aws | |
mcp.policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.backendAuth.(any)(1)azure | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.localRateLimit | Rate limit incoming requests. State is kept local. |
mcp.policies.localRateLimit[].maxTokens | |
mcp.policies.localRateLimit[].tokensPerFill | |
mcp.policies.localRateLimit[].fillInterval | |
mcp.policies.localRateLimit[].type | |
mcp.policies.remoteRateLimit | Rate limit incoming requests. State is managed by a remote server. |
mcp.policies.remoteRateLimit.(any)(1)service | |
mcp.policies.remoteRateLimit.(any)(1)service.name | |
mcp.policies.remoteRateLimit.(any)(1)service.name.namespace | |
mcp.policies.remoteRateLimit.(any)(1)service.name.hostname | |
mcp.policies.remoteRateLimit.(any)(1)service.port | |
mcp.policies.remoteRateLimit.(any)(1)host | Hostname or IP address |
mcp.policies.remoteRateLimit.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
mcp.policies.remoteRateLimit.(any)domain | |
mcp.policies.remoteRateLimit.(any)policies | Policies to connect to the backend |
mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier.add | |
mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier.set | |
mcp.policies.remoteRateLimit.(any)policies.requestHeaderModifier.remove | |
mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier.add | |
mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier.set | |
mcp.policies.remoteRateLimit.(any)policies.responseHeaderModifier.remove | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.scheme | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.path | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)full | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.remoteRateLimit.(any)policies.requestRedirect.status | |
mcp.policies.remoteRateLimit.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.remoteRateLimit.(any)policies.transformations.request | |
mcp.policies.remoteRateLimit.(any)policies.transformations.request.add | |
mcp.policies.remoteRateLimit.(any)policies.transformations.request.set | |
mcp.policies.remoteRateLimit.(any)policies.transformations.request.remove | |
mcp.policies.remoteRateLimit.(any)policies.transformations.request.body | |
mcp.policies.remoteRateLimit.(any)policies.transformations.request.metadata | |
mcp.policies.remoteRateLimit.(any)policies.transformations.response | |
mcp.policies.remoteRateLimit.(any)policies.transformations.response.add | |
mcp.policies.remoteRateLimit.(any)policies.transformations.response.set | |
mcp.policies.remoteRateLimit.(any)policies.transformations.response.remove | |
mcp.policies.remoteRateLimit.(any)policies.transformations.response.body | |
mcp.policies.remoteRateLimit.(any)policies.transformations.response.metadata | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS | Send TLS to the backend. |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.cert | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.key | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.root | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.hostname | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.insecure | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.insecureHost | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.alpn | |
mcp.policies.remoteRateLimit.(any)policies.backendTLS.subjectAltNames | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth | Authenticate to the backend. |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)passthrough | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.remoteRateLimit.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.remoteRateLimit.(any)policies.http | Specify HTTP settings for the backend |
mcp.policies.remoteRateLimit.(any)policies.http.version | |
mcp.policies.remoteRateLimit.(any)policies.http.requestTimeout | |
mcp.policies.remoteRateLimit.(any)policies.tcp | Specify TCP settings for the backend |
mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives | |
mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.enabled | |
mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.time | |
mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.interval | |
mcp.policies.remoteRateLimit.(any)policies.tcp.keepalives.retries | |
mcp.policies.remoteRateLimit.(any)policies.tcp.connectTimeout | |
mcp.policies.remoteRateLimit.(any)policies.tcp.connectTimeout.secs | |
mcp.policies.remoteRateLimit.(any)policies.tcp.connectTimeout.nanos | |
mcp.policies.remoteRateLimit.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.remoteRateLimit.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.remoteRateLimit.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.remoteRateLimit.(any)policies.health.eviction.duration | |
mcp.policies.remoteRateLimit.(any)policies.health.healthThreshold | |
mcp.policies.remoteRateLimit.(any)policies.health.healthOnUnevict | |
mcp.policies.remoteRateLimit.(any)descriptors | |
mcp.policies.remoteRateLimit.(any)descriptors[].entries | |
mcp.policies.remoteRateLimit.(any)descriptors[].entries[].key | |
mcp.policies.remoteRateLimit.(any)descriptors[].entries[].value | |
mcp.policies.remoteRateLimit.(any)descriptors[].type | |
mcp.policies.remoteRateLimit.(any)failureMode | Behavior when the remote rate limit service is unavailable or returns an error. Defaults to failClosed, denying requests with a 500 status on service failure. |
mcp.policies.jwtAuth | Authenticate incoming JWT requests. |
mcp.policies.jwtAuth.(any)(any)mode | |
mcp.policies.jwtAuth.(any)(any)providers | |
mcp.policies.jwtAuth.(any)(any)providers[].issuer | |
mcp.policies.jwtAuth.(any)(any)providers[].audiences | |
mcp.policies.jwtAuth.(any)(any)providers[].jwks | |
mcp.policies.jwtAuth.(any)(any)providers[].jwks.(any)file | |
mcp.policies.jwtAuth.(any)(any)providers[].jwks.(any)url | |
mcp.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
mcp.policies.jwtAuth.(any)(any)providers[].jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
mcp.policies.jwtAuth.(any)(any)mode | |
mcp.policies.jwtAuth.(any)(any)issuer | |
mcp.policies.jwtAuth.(any)(any)audiences | |
mcp.policies.jwtAuth.(any)(any)jwks | |
mcp.policies.jwtAuth.(any)(any)jwks.(any)file | |
mcp.policies.jwtAuth.(any)(any)jwks.(any)url | |
mcp.policies.jwtAuth.(any)(any)jwtValidationOptions | JWT validation options controlling which claims must be present in a token. The required_claims set specifies which RFC 7519 registered claims mustexist in the token payload before validation proceeds. Only the following values are recognized: exp, nbf, aud, iss, sub. Other registeredclaims such as iat and jti are not enforced by the underlyingjsonwebtoken library and will be silently ignored.This only enforces presence. Standard claims like exp and nbfhave their values validated independently (e.g., expiry is always checked when the exp claim is present, regardless of this setting).Defaults to ["exp"]. |
mcp.policies.jwtAuth.(any)(any)jwtValidationOptions.requiredClaims | Claims that must be present in the token before validation. Only “exp”, “nbf”, “aud”, “iss”, “sub” are enforced; others (including “iat” and “jti”) are ignored. Defaults to [“exp”]. Use an empty list to require no claims. |
mcp.policies.basicAuth | Authenticate incoming requests using Basic Authentication with htpasswd. |
mcp.policies.basicAuth.htpasswd | .htpasswd file contents/reference |
mcp.policies.basicAuth.htpasswd.(any)file | |
mcp.policies.basicAuth.realm | Realm name for the WWW-Authenticate header |
mcp.policies.basicAuth.mode | Validation mode for basic authentication |
mcp.policies.apiKey | Authenticate incoming requests using API Keys |
mcp.policies.apiKey.keys | List of API keys |
mcp.policies.apiKey.keys[].key | |
mcp.policies.apiKey.keys[].metadata | |
mcp.policies.apiKey.mode | Validation mode for API keys |
mcp.policies.extAuthz | Authenticate incoming requests by calling an external authorization server. |
mcp.policies.extAuthz.(any)(1)service | |
mcp.policies.extAuthz.(any)(1)service.name | |
mcp.policies.extAuthz.(any)(1)service.name.namespace | |
mcp.policies.extAuthz.(any)(1)service.name.hostname | |
mcp.policies.extAuthz.(any)(1)service.port | |
mcp.policies.extAuthz.(any)(1)host | Hostname or IP address |
mcp.policies.extAuthz.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
mcp.policies.extAuthz.(any)policies | Policies to connect to the backend |
mcp.policies.extAuthz.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.extAuthz.(any)policies.requestHeaderModifier.add | |
mcp.policies.extAuthz.(any)policies.requestHeaderModifier.set | |
mcp.policies.extAuthz.(any)policies.requestHeaderModifier.remove | |
mcp.policies.extAuthz.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.extAuthz.(any)policies.responseHeaderModifier.add | |
mcp.policies.extAuthz.(any)policies.responseHeaderModifier.set | |
mcp.policies.extAuthz.(any)policies.responseHeaderModifier.remove | |
mcp.policies.extAuthz.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.extAuthz.(any)policies.requestRedirect.scheme | |
mcp.policies.extAuthz.(any)policies.requestRedirect.authority | |
mcp.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.extAuthz.(any)policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.extAuthz.(any)policies.requestRedirect.path | |
mcp.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)full | |
mcp.policies.extAuthz.(any)policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.extAuthz.(any)policies.requestRedirect.status | |
mcp.policies.extAuthz.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.extAuthz.(any)policies.transformations.request | |
mcp.policies.extAuthz.(any)policies.transformations.request.add | |
mcp.policies.extAuthz.(any)policies.transformations.request.set | |
mcp.policies.extAuthz.(any)policies.transformations.request.remove | |
mcp.policies.extAuthz.(any)policies.transformations.request.body | |
mcp.policies.extAuthz.(any)policies.transformations.request.metadata | |
mcp.policies.extAuthz.(any)policies.transformations.response | |
mcp.policies.extAuthz.(any)policies.transformations.response.add | |
mcp.policies.extAuthz.(any)policies.transformations.response.set | |
mcp.policies.extAuthz.(any)policies.transformations.response.remove | |
mcp.policies.extAuthz.(any)policies.transformations.response.body | |
mcp.policies.extAuthz.(any)policies.transformations.response.metadata | |
mcp.policies.extAuthz.(any)policies.backendTLS | Send TLS to the backend. |
mcp.policies.extAuthz.(any)policies.backendTLS.cert | |
mcp.policies.extAuthz.(any)policies.backendTLS.key | |
mcp.policies.extAuthz.(any)policies.backendTLS.root | |
mcp.policies.extAuthz.(any)policies.backendTLS.hostname | |
mcp.policies.extAuthz.(any)policies.backendTLS.insecure | |
mcp.policies.extAuthz.(any)policies.backendTLS.insecureHost | |
mcp.policies.extAuthz.(any)policies.backendTLS.alpn | |
mcp.policies.extAuthz.(any)policies.backendTLS.subjectAltNames | |
mcp.policies.extAuthz.(any)policies.backendAuth | Authenticate to the backend. |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)passthrough | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)key | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.extAuthz.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.extAuthz.(any)policies.http | Specify HTTP settings for the backend |
mcp.policies.extAuthz.(any)policies.http.version | |
mcp.policies.extAuthz.(any)policies.http.requestTimeout | |
mcp.policies.extAuthz.(any)policies.tcp | Specify TCP settings for the backend |
mcp.policies.extAuthz.(any)policies.tcp.keepalives | |
mcp.policies.extAuthz.(any)policies.tcp.keepalives.enabled | |
mcp.policies.extAuthz.(any)policies.tcp.keepalives.time | |
mcp.policies.extAuthz.(any)policies.tcp.keepalives.interval | |
mcp.policies.extAuthz.(any)policies.tcp.keepalives.retries | |
mcp.policies.extAuthz.(any)policies.tcp.connectTimeout | |
mcp.policies.extAuthz.(any)policies.tcp.connectTimeout.secs | |
mcp.policies.extAuthz.(any)policies.tcp.connectTimeout.nanos | |
mcp.policies.extAuthz.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.extAuthz.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.extAuthz.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.extAuthz.(any)policies.health.eviction.duration | |
mcp.policies.extAuthz.(any)policies.health.healthThreshold | |
mcp.policies.extAuthz.(any)policies.health.healthOnUnevict | |
mcp.policies.extAuthz.(any)protocol | The ext_authz protocol to use. Unless you need to integrate with an HTTP-only server, gRPC is recommended. |
mcp.policies.extAuthz.(any)protocol.(1)grpc | |
mcp.policies.extAuthz.(any)protocol.(1)grpc.context | Additional context to send to the authorization service. This maps to the context_extensions field of the request, and only allows static values. |
mcp.policies.extAuthz.(any)protocol.(1)grpc.metadata | Additional metadata to send to the authorization service. This maps to the metadata_context.filter_metadata field of the request, and allows dynamic CEL expressions.If unset, by default the envoy.filters.http.jwt_authn key is set if the JWT policy is used as well, for compatibility. |
mcp.policies.extAuthz.(any)protocol.(1)http | |
mcp.policies.extAuthz.(any)protocol.(1)http.path | |
mcp.policies.extAuthz.(any)protocol.(1)http.redirect | When using the HTTP protocol, and the server returns unauthorized, redirect to the URL resolved by the provided expression rather than directly returning the error. |
mcp.policies.extAuthz.(any)protocol.(1)http.includeResponseHeaders | Specific headers from the authorization response will be copied into the request to the backend. |
mcp.policies.extAuthz.(any)protocol.(1)http.addRequestHeaders | Specific headers to add in the authorization request (empty = all headers), based on the expression |
mcp.policies.extAuthz.(any)protocol.(1)http.metadata | Metadata to include under the extauthz variable, based on the authorization response. |
mcp.policies.extAuthz.(any)failureMode | Behavior when the authorization service is unavailable or returns an error |
mcp.policies.extAuthz.(any)failureMode.(1)denyWithStatus | |
mcp.policies.extAuthz.(any)includeRequestHeaders | Specific headers to include in the authorization request. If unset, the gRPC protocol sends all request headers. The HTTP protocol sends only ‘Authorization’. |
mcp.policies.extAuthz.(any)includeRequestBody | Options for including the request body in the authorization request |
mcp.policies.extAuthz.(any)includeRequestBody.maxRequestBytes | Maximum size of request body to buffer (default: 8192) |
mcp.policies.extAuthz.(any)includeRequestBody.allowPartialMessage | If true, send partial body when max_request_bytes is reached |
mcp.policies.extAuthz.(any)includeRequestBody.packAsBytes | If true, pack body as raw bytes in gRPC |
mcp.policies.extProc | Extend agentgateway with an external processor |
mcp.policies.extProc.(any)(1)service | |
mcp.policies.extProc.(any)(1)service.name | |
mcp.policies.extProc.(any)(1)service.name.namespace | |
mcp.policies.extProc.(any)(1)service.name.hostname | |
mcp.policies.extProc.(any)(1)service.port | |
mcp.policies.extProc.(any)(1)host | Hostname or IP address |
mcp.policies.extProc.(any)(1)backend | Explicit backend reference. Backend must be defined in the top level backends list |
mcp.policies.extProc.(any)policies | Policies to connect to the backend |
mcp.policies.extProc.(any)policies.requestHeaderModifier | Headers to be modified in the request. |
mcp.policies.extProc.(any)policies.requestHeaderModifier.add | |
mcp.policies.extProc.(any)policies.requestHeaderModifier.set | |
mcp.policies.extProc.(any)policies.requestHeaderModifier.remove | |
mcp.policies.extProc.(any)policies.responseHeaderModifier | Headers to be modified in the response. |
mcp.policies.extProc.(any)policies.responseHeaderModifier.add | |
mcp.policies.extProc.(any)policies.responseHeaderModifier.set | |
mcp.policies.extProc.(any)policies.responseHeaderModifier.remove | |
mcp.policies.extProc.(any)policies.requestRedirect | Directly respond to the request with a redirect. |
mcp.policies.extProc.(any)policies.requestRedirect.scheme | |
mcp.policies.extProc.(any)policies.requestRedirect.authority | |
mcp.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)full | |
mcp.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)host | |
mcp.policies.extProc.(any)policies.requestRedirect.authority.(any)(1)port | |
mcp.policies.extProc.(any)policies.requestRedirect.path | |
mcp.policies.extProc.(any)policies.requestRedirect.path.(any)(1)full | |
mcp.policies.extProc.(any)policies.requestRedirect.path.(any)(1)prefix | |
mcp.policies.extProc.(any)policies.requestRedirect.status | |
mcp.policies.extProc.(any)policies.transformations | Modify requests and responses sent to and from the backend. |
mcp.policies.extProc.(any)policies.transformations.request | |
mcp.policies.extProc.(any)policies.transformations.request.add | |
mcp.policies.extProc.(any)policies.transformations.request.set | |
mcp.policies.extProc.(any)policies.transformations.request.remove | |
mcp.policies.extProc.(any)policies.transformations.request.body | |
mcp.policies.extProc.(any)policies.transformations.request.metadata | |
mcp.policies.extProc.(any)policies.transformations.response | |
mcp.policies.extProc.(any)policies.transformations.response.add | |
mcp.policies.extProc.(any)policies.transformations.response.set | |
mcp.policies.extProc.(any)policies.transformations.response.remove | |
mcp.policies.extProc.(any)policies.transformations.response.body | |
mcp.policies.extProc.(any)policies.transformations.response.metadata | |
mcp.policies.extProc.(any)policies.backendTLS | Send TLS to the backend. |
mcp.policies.extProc.(any)policies.backendTLS.cert | |
mcp.policies.extProc.(any)policies.backendTLS.key | |
mcp.policies.extProc.(any)policies.backendTLS.root | |
mcp.policies.extProc.(any)policies.backendTLS.hostname | |
mcp.policies.extProc.(any)policies.backendTLS.insecure | |
mcp.policies.extProc.(any)policies.backendTLS.insecureHost | |
mcp.policies.extProc.(any)policies.backendTLS.alpn | |
mcp.policies.extProc.(any)policies.backendTLS.subjectAltNames | |
mcp.policies.extProc.(any)policies.backendAuth | Authenticate to the backend. |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)passthrough | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)key | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)key.(any)file | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)audience | Audience for the token. If not set, the destination host will be used. |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)gcp.(any)type | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)accessKeyId | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)secretAccessKey | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)region | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)aws.(any)sessionToken | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.tenant_id | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_id | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)clientSecret.client_secret | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)clientId | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)objectId | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)managedIdentity.userAssignedIdentity.(any)(1)resourceId | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)explicitConfig.(1)workloadIdentity | |
mcp.policies.extProc.(any)policies.backendAuth.(any)(1)azure.(1)developerImplicit | |
mcp.policies.extProc.(any)policies.http | Specify HTTP settings for the backend |
mcp.policies.extProc.(any)policies.http.version | |
mcp.policies.extProc.(any)policies.http.requestTimeout | |
mcp.policies.extProc.(any)policies.tcp | Specify TCP settings for the backend |
mcp.policies.extProc.(any)policies.tcp.keepalives | |
mcp.policies.extProc.(any)policies.tcp.keepalives.enabled | |
mcp.policies.extProc.(any)policies.tcp.keepalives.time | |
mcp.policies.extProc.(any)policies.tcp.keepalives.interval | |
mcp.policies.extProc.(any)policies.tcp.keepalives.retries | |
mcp.policies.extProc.(any)policies.tcp.connectTimeout | |
mcp.policies.extProc.(any)policies.tcp.connectTimeout.secs | |
mcp.policies.extProc.(any)policies.tcp.connectTimeout.nanos | |
mcp.policies.extProc.(any)policies.health | Health policy for backend outlier detection; evicts on unhealthy responses based on CEL condition and configurable duration. |
mcp.policies.extProc.(any)policies.health.unhealthyExpression | CEL expression; true means unhealthy (evict). E.g. response.code >= 500. |
mcp.policies.extProc.(any)policies.health.eviction | Local/config eviction sub-policy with duration as string; mirrors Eviction. |
mcp.policies.extProc.(any)policies.health.eviction.duration | |
mcp.policies.extProc.(any)policies.health.healthThreshold | |
mcp.policies.extProc.(any)policies.health.healthOnUnevict | |
mcp.policies.extProc.(any)failureMode | Behavior when the ext_proc service is unavailable or returns an error |
mcp.policies.extProc.(any)metadataContext | Additional metadata to send to the external processing service. Maps to the metadata_context.filter_metadata field in ProcessingRequest, and allows dynamic CEL expressions. |
mcp.policies.extProc.(any)requestAttributes | Maps to the request attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
mcp.policies.extProc.(any)responseAttributes | Maps to the response attributes field in ProcessingRequest, and allows dynamic CEL expressions. |
mcp.policies.transformations | Modify requests and responses |
mcp.policies.transformations.request | |
mcp.policies.transformations.request.add | |
mcp.policies.transformations.request.set | |
mcp.policies.transformations.request.remove | |
mcp.policies.transformations.request.body | |
mcp.policies.transformations.request.metadata | |
mcp.policies.transformations.response | |
mcp.policies.transformations.response.add | |
mcp.policies.transformations.response.set | |
mcp.policies.transformations.response.remove | |
mcp.policies.transformations.response.body | |
mcp.policies.transformations.response.metadata | |
mcp.policies.csrf | Handle CSRF protection by validating request origins against configured allowed origins. |
mcp.policies.csrf.additionalOrigins | |
mcp.policies.timeout | Timeout requests that exceed the configured duration. |
mcp.policies.timeout.requestTimeout | |
mcp.policies.timeout.backendRequestTimeout | |
mcp.policies.retry | Retry matching requests. |
mcp.policies.retry.attempts | |
mcp.policies.retry.backoff | |
mcp.policies.retry.codes |
