API Reference
Packages:
waap.core.u-s-p.ch/v1alpha1
Resource Types:
CoreWaapService
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | waap.core.u-s-p.ch/v1alpha1 | true |
| kind | string | CoreWaapService | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
|
false |
| status | object |
|
false |
CoreWaapService.spec
| Name | Type | Description | Required |
|---|---|---|---|
| routes | []object |
List of routes to backends (at least one route must be defined) |
true |
| authentications | []object |
List of authentications (OpenID Connect / OAuth 2.0 clients and/or JWT validations) |
false |
| crs | object |
OWASP Core Rule Set (CRS) settings (version 4.3.0) |
false |
| csrfPolicy | object |
Global CSRF protection (default on). It detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target. If the origin does not match the target and is not allowed specifically, the request will be blocked. |
false |
| headerFiltering | object |
Global header filtering (default is allow standard headers only) |
false |
| hostnames | []string |
List of hostnames (append ports with ':', default is wildcard '*') |
false |
| nativeConfigPostProcessing | []string |
JavaScripts for post-processing generated Envoy config |
false |
| operation | object |
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image/version fields must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity] |
false |
| originBlocking | object |
Origin blocking |
false |
| trafficProcessing | object |
Traffic processing settings (e.g. for ICAP Anti-Virus scanning) |
false |
| webResources | object |
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content |
false |
| websocket | boolean |
Allow websocket Default: false |
false |
CoreWaapService.spec.routes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Backend |
true |
| match | object |
Matching criteria |
true |
| auth | object |
Authentication |
false |
| autoHostRewrite | boolean |
Indicates that during forwarding, the host header will be swapped with the hostname of the upstream host Default: true |
false |
| crs | object |
CRS settings per route |
false |
| trafficProcessingRefs | []string |
References to traffic processing; processing order is OpenAPI, ICAP (and within each type in the order listed under trafficProcessing) |
false |
CoreWaapService.spec.routes[index].backend
Backend
| Name | Type | Description | Required |
|---|---|---|---|
| address | string |
Backend hostname or IP |
true |
| port | integer |
Backend port number Minimum: 1 Maximum: 65535 |
true |
| protocol | object |
Protocol |
false |
| tls | object |
TLS |
false |
CoreWaapService.spec.routes[index].backend.protocol
Protocol
| Name | Type | Description | Required |
|---|---|---|---|
| selection | enum |
Selection of upstream protocol (h2 uses HTTP/2, h1 uses HTTP/1.1, auto negotiates the protocol using ALPN (requires TLS) with HTTP/2 preferred and HTTP/1.1 as fallback) Enum: auto, h1, h2 Default: h2 |
false |
CoreWaapService.spec.routes[index].backend.tls
TLS
| Name | Type | Description | Required |
|---|---|---|---|
| checkCertificates | boolean |
Check trusted certificates and SAN Default: true |
false |
| enabled | boolean |
Enable TLS Default: false |
false |
CoreWaapService.spec.routes[index].match
Matching criteria
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path (depending on pathType either a regex or a prefix) |
true |
| filters | object |
Filters |
false |
| headers | []object |
List of header matchers (logical AND between header matchers and with path) |
false |
| pathType | enum |
Path type Enum: PREFIX, REGEX Default: REGEX |
false |
CoreWaapService.spec.routes[index].match.filters
Filters
| Name | Type | Description | Required |
|---|---|---|---|
| allowedMethods | []enum |
Allowed http methods (all methods allowed if not specified) Enum: ACL, BIND, CHECKOUT, CONNECT, COPY, DELETE, GET, HEAD, LINK, LOCK, MERGE, MKACTIVITY, MKCALENDAR, MKCOL, MOVE, MSEARCH, NOTIFY, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PURGE, PUT, REBIND, REPORT, SEARCH, SOURCE, SUBSCRIBE, TRACE, UNBIND, UNLINK, UNLOCK, UNSUBSCRIBE |
false |
| originBlocking | object |
Origin blocking |
false |
| rewrite | object |
Rewrite request |
false |
CoreWaapService.spec.routes[index].match.filters.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.routes[index].match.filters.rewrite
Rewrite request
| Name | Type | Description | Required |
|---|---|---|---|
| url | object |
URL to set upstream |
false |
CoreWaapService.spec.routes[index].match.filters.rewrite.url
URL to set upstream
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path to rewrite (if regex path can use \1, \2 etc. to replace matched regex groups) |
true |
CoreWaapService.spec.routes[index].match.headers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Request header name |
true |
| value | string |
Request header value (exact match of full string) |
true |
CoreWaapService.spec.routes[index].auth
Authentication
| Name | Type | Description | Required |
|---|---|---|---|
| ref | string |
Reference to name of corresponding authentication setting |
true |
CoreWaapService.spec.routes[index].crs
CRS settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| disabled | boolean |
Whether to disable all CRS parsing for the route or not Default: false |
false |
CoreWaapService.spec.authentications[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Settings for propagation to backend |
true |
| jwksEndpoint | string |
OIDC JWKS endpoint URL, offers credentials to verify JWTs (normally use https) |
true |
| name | string |
Name to reference in routes |
true |
| audiences | []string |
List of accepted JWT audiences (if none is specified the JWT is not matched against the audience list) |
false |
| authorizationEndpoint | string |
OIDC OP authorization endpoint URL (omit to mark JWT-only authentication; note that tokenEndpoint and credentials must always also be defined resp. omitted accordingly) |
false |
| credentials | object |
OIDC credentials (client_id and client_secret, omit if only using JWT validation) |
false |
| issuer | string |
OIDC OP issuer (mandatory for OIDC authentication, optional if JWT-only authentication) |
false |
| scopes | []string |
List of scopes to be claimed in the authorization request |
false |
| tokenEndpoint | string |
OIDC OP token endpoint URL (omit if JWT-only authentication) |
false |
| tokenEndpointAuthType | enum |
How to pass the client_id to the OP (BODY for URL-encoded body parameter, BASIC for basic auth) Enum: BASIC, BODY Default: BODY |
false |
| useRefreshToken | boolean |
Whether to allow automatic access token refresh using the associated refresh token Default: false |
false |
CoreWaapService.spec.authentications[index].backend
Settings for propagation to backend
| Name | Type | Description | Required |
|---|---|---|---|
| forwardJwt | boolean |
Whether to forward the JWT to the upstream server Default: true |
false |
| jwtClaimToHeader | []object |
Translations of JWT claims to HTTP headers |
false |
CoreWaapService.spec.authentications[index].backend.jwtClaimToHeader[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string |
Claim to set as header |
true |
| headerName | string |
Name of the header to set to the claim |
true |
CoreWaapService.spec.authentications[index].credentials
OIDC credentials (client_id and client_secret, omit if only using JWT validation)
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string |
OIDC client_id |
true |
| clientSecret | string |
OIDC client_secret by value (either this or clientSecretRef is mandatory) |
false |
| clientSecretRef | string |
OIDC client_secret via reference to Kubernetes secret (recommended, either this or clientSecret is mandatory) |
false |
| hmacSecret | string |
HMAC secret by value (either this or hmacSecretRef is mandatory) |
false |
| hmacSecretRef | string |
HMAC secret via reference to Kubernetes secret (recommended, either this or hmacSecret is mandatory) |
false |
CoreWaapService.spec.crs
OWASP Core Rule Set (CRS) settings (version 4.3.0)
| Name | Type | Description | Required |
|---|---|---|---|
| customRequestBlockingRules | []object |
Custom request blocking rules |
false |
| enabledRequestRules | []enum |
Set of request rule classes (default is to include all rules, rules REQUEST_901_INITIALIZATION and REQUEST_949_BLOCKING_EVALUATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.3.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: REQUEST_913_SCANNER_DETECTION, REQUEST_920_PROTOCOL_ENFORCEMENT, REQUEST_921_PROTOCOL_ATTACK, REQUEST_922_MULTIPART_ATTACK, REQUEST_930_APPLICATION_ATTACK_LFI, REQUEST_931_APPLICATION_ATTACK_RFI, REQUEST_932_APPLICATION_ATTACK_RCE, REQUEST_933_APPLICATION_ATTACK_PHP, REQUEST_934_APPLICATION_ATTACK_GENERIC, REQUEST_941_APPLICATION_ATTACK_XSS, REQUEST_942_APPLICATION_ATTACK_SQLI, REQUEST_943_APPLICATION_ATTACK_SESSION_FIXATION, REQUEST_944_APPLICATION_ATTACK_JAVA |
false |
| enabledResponseRules | []enum |
Set of response rule classes (default is to include no rules, rules RESPONSE_959_BLOCKING_EVALUATION and RESPONSE_980_CORRELATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.3.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: RESPONSE_950_DATA_LEAKAGES, RESPONSE_951_DATA_LEAKAGES_SQL, RESPONSE_952_DATA_LEAKAGES_JAVA, RESPONSE_953_DATA_LEAKAGES_PHP, RESPONSE_954_DATA_LEAKAGES_IIS, RESPONSE_955_WEB_SHELLS |
false |
| mode | enum |
Mode (BLOCK = traffic identified as suspicious is blocked; DETECT = traffic identified as suspicious is logged but not blocked; DISABLED = traffic is not inspected) Enum: BLOCK, DETECT, DISABLED Default: BLOCK |
false |
| paranoiaLevel | integer |
Paranoia level (the higher the level the better the protection but also more likely false positives, see OWASP CRS for details) Default: 1 Minimum: 1 Maximum: 4 |
false |
| parseJson | boolean |
Whether to apply CRS protection rules for JSON payloads or not Default: true |
false |
| parseXml | boolean |
Whether to apply CRS protection rules for XML payloads or not Default: true |
false |
| requestBodyAccess | boolean |
Whether to scan request bodies or not (if this setting is disabled, POST parameters and other content submitted in the request body will not be inspected) Default: true |
false |
| requestBodyAccessExceptions | []object |
Request body parsing exceptions (locations to exclude from parsing, typically for file uploads) |
false |
| requestBodyLimitKb | integer |
Request body limit in KB, body bytes beyond the limit are not parsed (max 1048576 KB (1 GB)) Default: 128 Minimum: 0 Maximum: 1.048576e+06 |
false |
| requestRuleExceptions | []object |
Conditionally disable request rules to avoid false positive alerts/blocks |
false |
| responseBodyLimitKb | integer |
Response body limit in KB, body bytes beyond the limit are not parsed Default: 256 Minimum: 0 Maximum: 1.048576e+06 |
false |
| responseRuleExceptions | []object |
Conditionally disable response rules to avoid false positive alerts/blocks |
false |
| securityLevel | integer |
Defines under which conditions suspicious requests are blocked; only has an effect if the mode is set to BLOCK (security level 5 blocks already if 1 (or more) critical anomalies, 4 if 2, 3 if 3, 2 if 5, 1 if 10) Default: 5 Minimum: 1 Maximum: 5 |
false |
| validateJson | boolean |
Special rule which checks the syntax of JSON requests (if the syntax is invalid and the current mode is BLOCK, such requests are blocked) Default: true |
false |
CoreWaapService.spec.crs.customRequestBlockingRules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Rule name |
true |
| secLangExpression | string |
SecLang expression. Rule id range must be [300000,399999] |
true |
CoreWaapService.spec.crs.requestBodyAccessExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location for which to skip request body parsing |
true |
| methods | []enum |
HTTP method(s) for which to skip request body parsing (at least one must be defined) Enum: ACL, BIND, CHECKOUT, CONNECT, COPY, DELETE, GET, HEAD, LINK, LOCK, MERGE, MKACTIVITY, MKCALENDAR, MKCOL, MOVE, MSEARCH, NOTIFY, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PURGE, PUT, REBIND, REPORT, SEARCH, SOURCE, SUBSCRIBE, TRACE, UNBIND, UNLINK, UNLOCK, UNSUBSCRIBE |
true |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
CoreWaapService.spec.crs.requestRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| ruleId | integer |
Rule ID |
true |
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent') |
false |
| requestPartType | enum |
Request part type Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
CoreWaapService.spec.crs.requestRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.crs.responseRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| ruleId | integer |
Rule ID |
true |
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent') |
false |
| requestPartType | enum |
Request part type Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
CoreWaapService.spec.crs.responseRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.csrfPolicy
Global CSRF protection (default on). It detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target. If the origin does not match the target and is not allowed specifically, the request will be blocked.
| Name | Type | Description | Required |
|---|---|---|---|
| additionalOrigins | []string |
Additional allowed origin values, specified as '{hostname}[:{port}]' (no scheme!); must correspond to the request target. |
false |
| enabled | boolean |
Whether CSRF protection is enabled or not Default: true |
false |
CoreWaapService.spec.headerFiltering
Global header filtering (default is allow standard headers only)
| Name | Type | Description | Required |
|---|---|---|---|
| logOnly | boolean |
Whether header filtering should only log potentially blocked headers Default: false |
false |
| request | object |
Request header filtering |
false |
| response | object |
Response header filtering |
false |
CoreWaapService.spec.headerFiltering.request
Request header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
List of allowed header names in addition to ones in allowClass |
false |
| allowClass | enum |
A common preset of allowed headers. Values: MINIMAL, STANDARD, RESTRICTED Enum: MINIMAL, RESTRICTED, STANDARD Default: STANDARD |
false |
| deny | []object |
List of denied header names; applied after allowClass & allow |
false |
| enabled | boolean |
Whether request header filtering is enabled or not Default: true |
false |
CoreWaapService.spec.headerFiltering.request.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Denied header name; '*' could be used in conjunction with non-blank valuePattern to match all header names |
false |
| valuePattern | string |
Lua pattern for denied header value (see https://www.lua.org/pil/20.2.html) |
false |
CoreWaapService.spec.headerFiltering.response
Response header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
List of allowed header names |
false |
| deny | []string |
List of denied header names; applied after allow |
false |
| enabled | boolean |
Whether response header filtering is enabled or not Default: true |
false |
CoreWaapService.spec.operation
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image/version fields must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity]
| Name | Type | Description | Required |
|---|---|---|---|
| adminInterfaceService | object |
Settings for exposing the Envoy admin interface as a Kubernetes service |
false |
| affinity | object |
Kubernetes affinity for the Core Waap pod |
false |
| caCertificates | object |
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container) |
false |
| image | string |
Core WAAP container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap' (must be defined either in spec or operator defaults) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| labels | map[string]string |
Map of key/value labels for the pod |
false |
| port | integer |
Port of the Kubernetes service and Envoy listener in the Core WAAP container Default: 8080 Minimum: 1 Maximum: 65535 |
false |
| priorityClassName | string |
Kubernetes priorityClassName for the Core Waap pod |
false |
| replicas | integer |
Number of replicas (default is not managed by operator) Minimum: 1 |
false |
| resources | object |
Kubernetes resources for the Core Waap pod |
false |
| serviceAccount | object |
Service account |
false |
| serviceAnnotations | map[string]string |
Map of key/value annotations for the service |
false |
| startup | object |
Settings for Envoy startup (mostly command line options, see https://www.envoyproxy.io/docs/envoy/latest/operations/cli) |
false |
| tolerations | []object |
Kubernetes tolerations for the Core Waap pod |
false |
| version | string |
Core WAAP container (image) version, e.g. '1.1.5' (must be defined either in spec or operator defaults) |
false |
CoreWaapService.spec.operation.adminInterfaceService
Settings for exposing the Envoy admin interface as a Kubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether the Envoy admin interface should be exposed as Kubernetes service Default: false |
false |
| port | integer |
Port of the Kubernetes service (if enabled) and Envoy admin interface listener in the Core WAAP container Default: 9901 Minimum: 1 Maximum: 65535 |
false |
CoreWaapService.spec.operation.affinity
Kubernetes affinity for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| nodeAffinity | object |
|
false |
| podAffinity | object |
|
false |
| podAntiAffinity | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| preference | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution
| Name | Type | Description | Required |
|---|---|---|---|
| nodeSelectorTerms | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index]
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.caCertificates
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the CA certificates |
true |
| key | string |
Key (as in 'YAML key/value pair') in the config map that contains the CA certificates |
true |
CoreWaapService.spec.operation.resources
Kubernetes resources for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.operation.serviceAccount
Service account
| Name | Type | Description | Required |
|---|---|---|---|
| automountToken | boolean |
Whether to automount the token for the service account Default: true |
false |
| name | string |
Service account name Default: default |
false |
CoreWaapService.spec.operation.startup
Settings for Envoy startup (mostly command line options, see https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
| Name | Type | Description | Required |
|---|---|---|---|
| componentLogLevel | string |
Envoy log level per component in the form '{comp1}:{level1},{comp2}:{level2}', e.g. 'http:debug,connection:trace', if not set defaults implicitly to empty, command line option '--component-log-level' |
false |
| concurrency | integer |
The number of worker threads to run, if not set defaults implicitly to the number of hardware threads on the machine, command line option '--concurrency' Minimum: 1 |
false |
| logLevel | enum |
Envoy global log level; if not set defaults implicitly to level info, command line option '--log-level' Enum: critical, debug, error, info, off, trace, warning |
false |
CoreWaapService.spec.operation.tolerations[index]
| Name | Type | Description | Required |
|---|---|---|---|
| effect | string |
|
false |
| key | string |
|
false |
| operator | string |
|
false |
| tolerationSeconds | integer |
|
false |
| value | string |
|
false |
CoreWaapService.spec.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.trafficProcessing
Traffic processing settings (e.g. for ICAP Anti-Virus scanning)
| Name | Type | Description | Required |
|---|---|---|---|
| icap | []object |
Traffic processing settings for type ICAP (Internet Content Adaptation Protocol); ICAP is typically used for Anti-Virus scanning of HTTP request bodies; currently only validation of the HTTP request body is supported (ICAP REQMOD) (no modifications to the scanned body, no validation of HTTP responses |
false |
| openapi | []object |
Traffic processing settings for type OPENAPI; OPENAPI is used for request/response validation against an OpenAPI schema |
false |
CoreWaapService.spec.trafficProcessing.icap[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object |
Validation configuration for the sidecar |
true |
| name | string |
Name to reference in routes under trafficProcessingRefs |
true |
| extProc | object |
External processing related settings, i.e. settings for the callout to the ICAP sidecar |
false |
| operation | object |
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is e.g. 'icap') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec] |
false |
CoreWaapService.spec.trafficProcessing.icap[index].config
Validation configuration for the sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| url | string |
ICAP URL including protocol and port (e.g. 'icap://some.host:1344/some/path', use 'icaps://' for TLS) |
true |
CoreWaapService.spec.trafficProcessing.icap[index].extProc
External processing related settings, i.e. settings for the callout to the ICAP sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| additionalCliArgs | string |
Additional command line arguments for the external service |
false |
| messageTimeout | string |
Message timeout for extProc callouts essentially in Kubernetes format (e.g. '30s', defaults to Envoy's default of 200ms) |
false |
CoreWaapService.spec.trafficProcessing.icap[index].operation
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is e.g. 'icap') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec]
| Name | Type | Description | Required |
|---|---|---|---|
| image | string |
Traffic processor sidecar container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap-ext-proc-icap' (must be defined either in spec or operator defaults per traffic processor type) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| resources | object |
Kubernetes resources for the sidecar container |
false |
| version | string |
Traffic processor sidecar container (image) version, e.g. '1.0.1' (must be defined either in spec or operator defaults per traffic processor type) |
false |
CoreWaapService.spec.trafficProcessing.icap[index].operation.resources
Kubernetes resources for the sidecar container
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.trafficProcessing.icap[index].operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.trafficProcessing.openapi[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object |
Validation configuration for the sidecar |
true |
| name | string |
Name to reference in routes under trafficProcessingRefs |
true |
| extProc | object |
External processing related settings, i.e. settings for the callout to the OpenAPI sidecar |
false |
| operation | object |
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is 'openapi') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec] |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].config
Validation configuration for the sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| schemaSource | object |
Source of the schema that will be used for validation |
true |
| scope | object |
Validation scope settings |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].config.schemaSource
Source of the schema that will be used for validation
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the schema |
true |
| key | string |
Key in the config map that contains the schema |
true |
CoreWaapService.spec.trafficProcessing.openapi[index].config.scope
Validation scope settings
| Name | Type | Description | Required |
|---|---|---|---|
| logOnly | boolean |
Indicates that validation won't fail, but only be logged Default: false |
false |
| requestBody | boolean |
Indicates that request body will be validated Default: true |
false |
| responseBody | boolean |
Indicates that response body will be validated Default: false |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].extProc
External processing related settings, i.e. settings for the callout to the OpenAPI sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| additionalCliArgs | string |
Additional command line arguments for the external service |
false |
| messageTimeout | string |
Message timeout for extProc callouts essentially in Kubernetes format (e.g. '30s', defaults to Envoy's default of 200ms) |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].operation
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is 'openapi') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec]
| Name | Type | Description | Required |
|---|---|---|---|
| image | string |
Traffic processor sidecar container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap-ext-proc-icap' (must be defined either in spec or operator defaults per traffic processor type) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| resources | object |
Kubernetes resources for the sidecar container |
false |
| version | string |
Traffic processor sidecar container (image) version, e.g. '1.0.1' (must be defined either in spec or operator defaults per traffic processor type) |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].operation.resources
Kubernetes resources for the sidecar container
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.trafficProcessing.openapi[index].operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.webResources
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the web resources |
true |
| path | string |
Path where static pages will be served (must begin and end with /) |
true |
| errorPages | []object |
List of error pages to serve (allows dynamic content, e.g. %PROTOCOL%) |
false |
| staticFiles | []object |
List of static file resources to serve (no dynamic content) |
false |
CoreWaapService.spec.webResources.errorPages[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
| statusCode | string |
Status code to apply to (also allows to e.g. use '4xx' for all client errors 400-499) |
true |
| mappedStatusCode | integer |
Status code to send to client (defaults to upstream status code) |
false |
CoreWaapService.spec.webResources.staticFiles[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
CoreWaapService.status
| Name | Type | Description | Required |
|---|---|---|---|
| status | string |
|
false |