This topic provides full details about the `Gateway` resource.
## Introduction
A `Gateway` is an instance of network infrastructure that determines how service traffic should be handled. A `Gateway` contains one or more `listeners` that bind to a set of IP addresses. An `HTTPRoute` or `TCPRoute` can then attach to a gateway listener to direct traffic from the gateway to a service.
Gateway instances derive their configurations from the `GatewayClass` resource, which acts as a template for individual `Gateway` deployments. Refer to [GatewayClass](/docs/api-gateway/configuration/gatewayclass) for additional information.
Specify the following parameters to declare a Gateway:
| kind | Specifies the type of configuration object. The value should always be Gateway | Required |
| description | Human-readable string for describing the purpose of the Gateway. | Optional |
| version | Specifies the Kubernetes API version. The value should always be gateway.networking.k8s.io/v1alpha2 | Required |
| scope | Specifies the effective scope of the Gateway. The value should always be namespaced. | Required |
| fields | Specifies the configurations for the Gateway. The fields are listed in the Configuration model. Details for each field are described in the Specification. | Required |
## Configuration model
* gatewayClassName: string | required
* listeners: array of objects | required
* allowedRoutes: object | required
* namespaces: object | required
* from: string | required
* selector: object | required if from is configured to selector
* matchExpressions: array of objects | required if matchLabels is not configured
* key: string | required if matchExpressions is declared
* operator: string | required if matchExpressions is declared
* values: array of strings | required if matchExpressions is declared
* matchLabels: map of strings | required if matchExpressions is not configured
* hostname: string | required
* name: string | required
* port: integer | required
* protocol: string | required
* tls: object | required if protocol is set to HTTPS
* certificateRefs: array or objects | required if tls is declared
* name: string | required if certificateRefs is declared
* namespace: string | required if certificateRefs is declared
* mode: string | required if certificateRefs is declared
Specifies the name of the `GatewayClass` resource used for the `Gateway` instance.
* Type: string
* Required: required
### listeners
Specifies the `listeners` associated with the `Gateway`. At least one `listener` must be specified. Each `listener` within a `Gateway` must have a unique combination of `hostname`, `port`, and `protocol`.
* Type: array of objects
* Required: required
### listeners.allowedRoutes
Specifies a `namespace` object that defines the types of routes that may be attached to a listener.
* Type: object
* Required: required
### listeners.allowedRoutes.namespaces
Determines which routes are allowed to attach to the `listener`. Only routes in the same namespace as the `Gateway` may be attached by default.
### listeners.allowedRoutes.namespaces.from
Specifies the policy for which namespaces a route may attach to a `Gateway` from. Defaults to `Same`.
Specifies an array of requirements for matching namespaces. If a match is found, then routes from the matching namespace(s) are allowed to attach to the `Gateway`. The following table describes members of the `matchExpressions` array:
| key | Specifies that label that the key applies to. | string |
| operator | Specifies the key's relation to a set of values. The following values are valid:In: description of what this means NotIn: description of what this means Exists: description of what this means DoesNotExist: description of what this means | string |
| values | Specifies an array of string values. If the operator is configured to In or NotIn,the values array must be non-empty. If theoperator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | array of strings |
| scope | Specifies the effective scope of the Gateway. The value should always be namespaced. | Required |
| fields | Specifies the configurations for the Gateway. The fields are listed in the Configuration model. Details for each field are described in the Specification. | Required |
Specifies an array of labels and label values. If a match is found, then routes with the matching label(s) are allowed to attach to the `Gateway`. This selector can contain any arbitrary key/value pair.
```yaml
namespaceSelector:
matchLabels:
foo: bar
```
For more on labels, see [Labels and Selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
Specifies the port number that the `listener` will attach to
* Type: integer
* Required: required
### listeners.protocol
Specifies the protocol the `listener` will use
* Type: string
* Required: required
Allowed values `TCP`, `HTTP`, `HTTPS`
### listeners.tls
* Type: Object
* Required: required if protocol is set to HTTPS
### listeners.tls.certificateRefs
`CertificateRefs` contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated `listener`. Each reference must be a Kubernetes Secret, and, if using a Secret in a namespace other than the`Gateway`'s, must have a corresponding `ReferencePolicy` created.