Expose a Function with an API Rule

This tutorial shows how you can expose your Function to access it outside the cluster, through an HTTP proxy. To expose it, use an APIRule custom resource (CR) managed by the in-house API Gateway Controller. This controller reacts to an instance of the APIRule CR and, based on its details, it creates an Istio VirtualService and Oathkeeper Access Rules that specify your permissions for the exposed Function.

When you complete this tutorial, you get a Function that:

  • Is available on an unsecured endpoint (handler set to noop in the APIRule CR).
  • Accepts the GET, POST, PUT, and DELETE methods.

NOTE: To learn more about securing your Function, see the Expose and secure a workload with OAuth2 or Expose and secure a workload with JWT tutorials.

TIP: Read also about Function’s specification if you are interested in its signature, event and context objects, and custom HTTP responses the Function returns.


This tutorial is based on an existing Function. To create one, follow the Create a Function tutorial.


Follow these steps:

  • Kyma CLI
  • kubectl
  • Kyma Dashboard