API Reference
Packages:
waap.core.u-s-p.ch/v1alpha1
Resource Types:
CoreWaapService
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | waap.core.u-s-p.ch/v1alpha1 | true |
| kind | string | CoreWaapService | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
|
false |
| status | object |
|
false |
CoreWaapService.spec
| Name | Type | Description | Required |
|---|---|---|---|
| routes | []object |
List of routes to backends (at least one route must be defined) |
true |
| authentications | []object |
List of authentications (OpenID Connect / OAuth 2.0 clients and/or JWT validations) |
false |
| coraza | object |
Coraza filter settings for Core Rule Set (CRS) and GraphQL validations |
false |
| corsPolicy | object |
Global CORS protection (default off); any legal OPTIONS requests will be responded to directly by Core WAAP and will not be passed on to backends; other requests will not be responded to directly, but if they are accepted CORS requests that match configured allowed origins, Core WAAP will add the related headers to the response |
false |
| crs | object |
DEPRECATED, use spec.coraza settings instead. OWASP Core Rule Set (CRS) settings (version 4.18.0) |
false |
| csrfPolicy | object |
Global CSRF protection (default on); detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target; if the origin does not match the target and is not allowed specifically, the request will be blocked |
false |
| headerFiltering | object |
Global header filtering (default is allow standard headers only) |
false |
| hostnames | []string |
List of hostnames (append ports with ':', default is wildcard '*') |
false |
| lua | object |
Lua filters settings (filter scripts plus helper scripts/files) |
false |
| nativeConfigPostProcessing | []string |
JavaScripts for post-processing generated Envoy config |
false |
| operation | object |
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image/version fields must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity] |
false |
| originBlocking | object |
Origin blocking |
false |
| trafficProcessing | object |
Traffic processing settings (e.g. for ICAP Anti-Virus scanning) |
false |
| webResources | object |
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content |
false |
| websocket | boolean |
Allow websocket Default: false |
false |
CoreWaapService.spec.routes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Backend |
true |
| match | object |
Matching criteria |
true |
| auth | object |
Authentication |
false |
| autoHostRewrite | boolean |
Indicates that during forwarding, the host header will be swapped with the hostname of the upstream host Default: true |
false |
| coraza | object |
Coraza settings per route, including CRS and GraphQL |
false |
| crs | object |
DEPRECATED, use coraza settings instead. CRS settings per route |
false |
| luaRefs | object |
References to Lua filters |
false |
| trafficProcessingRefs | []string |
References to traffic processing; processing order is OpenAPI, ICAP (and within each type in the order listed under spec.trafficProcessing) |
false |
CoreWaapService.spec.routes[index].backend
Backend
| Name | Type | Description | Required |
|---|---|---|---|
| address | string |
Backend hostname or IP |
true |
| port | integer |
Backend port number Minimum: 1 Maximum: 65535 |
true |
| protocol | object |
Protocol |
false |
| tls | object |
TLS |
false |
CoreWaapService.spec.routes[index].backend.protocol
Protocol
| Name | Type | Description | Required |
|---|---|---|---|
| selection | enum |
Selection of upstream protocol (h2 uses HTTP/2, h1 uses HTTP/1.1, auto negotiates the protocol using ALPN (requires TLS) with HTTP/2 preferred and HTTP/1.1 as fallback) Enum: auto, h1, h2 Default: h2 |
false |
CoreWaapService.spec.routes[index].backend.tls
TLS
| Name | Type | Description | Required |
|---|---|---|---|
| checkCertificates | boolean |
Check trusted certificates and SAN Default: true |
false |
| enabled | boolean |
Enable TLS Default: false |
false |
CoreWaapService.spec.routes[index].match
Matching criteria
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path (depending on pathType either a regex or a prefix) |
true |
| filters | object |
Filters |
false |
| headers | []object |
List of header matchers (logical AND between header matchers and with path) |
false |
| pathType | enum |
Path type Enum: PREFIX, REGEX Default: REGEX |
false |
CoreWaapService.spec.routes[index].match.filters
Filters
| Name | Type | Description | Required |
|---|---|---|---|
| allowedMethods | []enum |
Allowed http methods (all methods allowed if not specified) Enum: ACL, BIND, CHECKOUT, CONNECT, COPY, DELETE, GET, HEAD, LINK, LOCK, MERGE, MKACTIVITY, MKCALENDAR, MKCOL, MOVE, MSEARCH, NOTIFY, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PURGE, PUT, REBIND, REPORT, SEARCH, SOURCE, SUBSCRIBE, TRACE, UNBIND, UNLINK, UNLOCK, UNSUBSCRIBE |
false |
| originBlocking | object |
Origin blocking |
false |
| rewrite | object |
Rewrite request |
false |
CoreWaapService.spec.routes[index].match.filters.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.routes[index].match.filters.rewrite
Rewrite request
| Name | Type | Description | Required |
|---|---|---|---|
| url | object |
URL to set upstream |
false |
CoreWaapService.spec.routes[index].match.filters.rewrite.url
URL to set upstream
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path to rewrite (if regex path can use \1, \2 etc. to replace matched regex groups) |
true |
CoreWaapService.spec.routes[index].match.headers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Request header name (supported are regular header names as well as the pseudo-headers ':authority' and ':method') |
true |
| value | string |
Request header value (exact match of full string or regex match) |
true |
| valueType | enum |
Value type Enum: EXACT, REGEX Default: EXACT |
false |
CoreWaapService.spec.routes[index].auth
Authentication
| Name | Type | Description | Required |
|---|---|---|---|
| ref | string |
Reference to name of corresponding authentication setting |
true |
CoreWaapService.spec.routes[index].coraza
Coraza settings per route, including CRS and GraphQL
| Name | Type | Description | Required |
|---|---|---|---|
| crs | object |
OWASP Core Rule Set (CRS) settings per route |
false |
| enabled | boolean |
Whether to enable Coraza for the route or not Default: true |
false |
| graphql | object |
GraphQL settings per route |
false |
CoreWaapService.spec.routes[index].coraza.crs
OWASP Core Rule Set (CRS) settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether to enable Coraza CRS for the route or not, effective default is spec.coraza.crs.defaultEnabled |
false |
| skipBody | boolean |
Whether to skip request body validation or not (requestBodyAccess on/off) Default: false |
false |
CoreWaapService.spec.routes[index].coraza.graphql
GraphQL settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether to enable Coraza GraphQL for the route or not Default: false |
false |
| mode | enum |
Mode (DETECT = traffic identified as suspicious is logged but not blocked; BLOCK = traffic identified as suspicious is blocked) Enum: BLOCK, DETECT Default: BLOCK |
false |
| ref | string |
Reference to name of corresponding GraphQL setting; required if GraphQL is enabled on the route |
false |
CoreWaapService.spec.routes[index].crs
DEPRECATED, use coraza settings instead. CRS settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| disabled | boolean |
DEPRECATED, use per-route coraza settings instead. Whether to disable all CRS parsing for the route or not Default: false |
false |
CoreWaapService.spec.routes[index].luaRefs
References to Lua filters
| Name | Type | Description | Required |
|---|---|---|---|
| first | []string |
Lua filters to run first, i.e. before other types of filters (more precisely, run first for request and run last for response); Lua filters listed here are run in the order defined under spec.lua |
false |
| last | []string |
Lua filters to run last, i.e. after other types of filters (more precisely, run last for request and run first for response); Lua filters listed here are run in the order defined under spec.lua |
false |
CoreWaapService.spec.authentications[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Settings for propagation to backend |
true |
| jwksEndpoint | string |
OIDC JWKS endpoint URL, offers credentials to verify JWTs (normally use https) |
true |
| name | string |
Name to reference in routes |
true |
| audiences | []string |
List of accepted JWT audiences (if none is specified the JWT is not matched against the audience list) |
false |
| authorizationEndpoint | string |
OIDC OP authorization endpoint URL (omit to mark JWT-only authentication; note that tokenEndpoint and credentials must always also be defined resp. omitted accordingly) |
false |
| credentials | object |
OIDC credentials (client_id and client_secret, omit if only using JWT validation) |
false |
| denyRedirectMatcher | object |
If set, converts 302 redirect responses to 401 unauthorized responses for clients that should not handle redirects, typically Single-Page Applications (SPAs) that use JavaScript (note that if set, the configured (or default) header must also be whitelisted in the request header filter) |
false |
| endSessionEndpoint | string |
Optional OIDC OP endpoint URL to end the session at the OP (logout at OP); note that logout is initiated at '/core-waap/oauth/{spec.authentications[].name}/signout', which always logs out the client (i.e. the Core WAAP itself), plus, if an end session endpoint is defined in this setting here, subsequently also attempts to log out at the OP |
false |
| issuer | string |
OIDC OP issuer (mandatory for OIDC authentication, optional if JWT-only authentication) |
false |
| scopes | []string |
List of scopes to be claimed in the authorization request |
false |
| tokenEndpoint | string |
OIDC OP token endpoint URL (omit if JWT-only authentication) |
false |
| tokenEndpointAuthType | enum |
How to pass the client_id to the OP (BODY for URL-encoded body parameter, BASIC for basic auth) Enum: BASIC, BODY Default: BODY |
false |
| useRefreshToken | boolean |
Whether to allow automatic access token refresh using the associated refresh token Default: false |
false |
CoreWaapService.spec.authentications[index].backend
Settings for propagation to backend
| Name | Type | Description | Required |
|---|---|---|---|
| forwardJwt | boolean |
Whether to forward the JWT to the upstream server Default: true |
false |
| jwtClaimToHeader | []object |
Translations of JWT claims to HTTP headers |
false |
CoreWaapService.spec.authentications[index].backend.jwtClaimToHeader[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string |
Claim to set as header |
true |
| headerName | string |
Name of the header to set to the claim |
true |
CoreWaapService.spec.authentications[index].credentials
OIDC credentials (client_id and client_secret, omit if only using JWT validation)
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string |
OIDC client_id |
true |
| clientSecret | string |
OIDC client_secret by value (either this or clientSecretRef is mandatory) |
false |
| clientSecretRef | string |
OIDC client_secret via reference to Kubernetes secret (recommended, either this or clientSecret is mandatory) |
false |
| hmacSecret | string |
HMAC secret by value (either this or hmacSecretRef is mandatory) |
false |
| hmacSecretRef | string |
HMAC secret via reference to Kubernetes secret (recommended, either this or hmacSecret is mandatory) |
false |
CoreWaapService.spec.authentications[index].denyRedirectMatcher
If set, converts 302 redirect responses to 401 unauthorized responses for clients that should not handle redirects, typically Single-Page Applications (SPAs) that use JavaScript (note that if set, the configured (or default) header must also be whitelisted in the request header filter)
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether response mapping is enabled or not Default: false |
false |
| expectedHeaderValue | string |
Header value Default: empty |
false |
| headerName | string |
Header name Default: Sec-Fetch-Dest |
false |
| headerValueType | enum |
Whether to match the exact value or to treat the value as a REGEX Enum: EXACT, REGEX Default: EXACT |
false |
CoreWaapService.spec.coraza
Coraza filter settings for Core Rule Set (CRS) and GraphQL validations
| Name | Type | Description | Required |
|---|---|---|---|
| crs | object |
OWASP Core Rule Set (CRS) settings (version 4.18.0) |
false |
| debugLogLevel | integer |
Debug log level (0:off 1:error 2:warn 3:info 4-8:debug, 9:trace) Default: 0 |
false |
| enabled | boolean |
Enables the Coraza filter; must be enabled if any CRS or GraphQL validations should be done Default: true |
false |
| graphql | object |
GraphQL settings |
false |
| parseJson | boolean |
Whether to apply CRS protection rules for JSON payloads or not; must be true if GraphQL is enabled on any route Default: true |
false |
| parseXml | boolean |
Whether to apply CRS protection rules for XML payloads or not Default: true |
false |
| requestBodyAccess | boolean |
Whether to scan request bodies or not, must be true if GraphQL is enabled on any route (if this setting is disabled, POST parameters and other content submitted in the request body will not be inspected) Default: true |
false |
| requestBodyLimitAction | enum |
How to handle requests with a larger body than specified in coraza.requestBodyLimitKb (ProcessPartial = validate request body up to limit, let additional bytes through unchecked; Reject = reject request if body is larger than limit) Enum: ProcessPartial, Reject Default: ProcessPartial |
false |
| requestBodyLimitKb | integer |
Request body limit in KB, body bytes beyond the limit are not parsed (also make sure that operation.bufferLimitBytes is set accordingly) Default: 128 Minimum: 0 Maximum: 1.048576e+06 |
false |
| responseBodyAccess | boolean |
Whether to scan response bodies or not; only allowed to set to false if coraza.crs.enabledResponseRules is empty (GraphQL does so far not parse response bodies, the backend is trusted) Default: false |
false |
| responseBodyLimitAction | enum |
How to handle responses with a larger body than specified in coraza.responseBodyLimitKb (ProcessPartial = validate response body up to limit, let additional bytes through unchecked; Reject = reject response if body is larger than limit) Enum: ProcessPartial, Reject Default: ProcessPartial |
false |
| responseBodyLimitKb | integer |
Response body limit in KB, body bytes beyond the limit are not parsed(also make sure that operation.bufferLimitBytes is set accordingly) Default: 256 Minimum: 0 Maximum: 1.048576e+06 |
false |
| validateJson | boolean |
Special rule which checks the syntax of JSON requests (if the syntax is invalid and the current mode is BLOCK, such requests are blocked); if set to true, across all routes with effectively enabled CRS and/or GraphQL only either mode BLOCK or DETECT must be used Default: true |
false |
CoreWaapService.spec.coraza.crs
OWASP Core Rule Set (CRS) settings (version 4.18.0)
| Name | Type | Description | Required |
|---|---|---|---|
| customRequestBlockingRules | []object |
Custom request blocking rules |
false |
| defaultEnabled | boolean |
If true enabled on all routes unless disabled there, if false disabled on all routes unless enabled there Default: true |
false |
| enabledRequestRules | []enum |
Set of request rule classes (default is to include all rules, rules REQUEST_901_INITIALIZATION and REQUEST_949_BLOCKING_EVALUATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.18.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: REQUEST_913_SCANNER_DETECTION, REQUEST_920_PROTOCOL_ENFORCEMENT, REQUEST_921_PROTOCOL_ATTACK, REQUEST_922_MULTIPART_ATTACK, REQUEST_930_APPLICATION_ATTACK_LFI, REQUEST_931_APPLICATION_ATTACK_RFI, REQUEST_932_APPLICATION_ATTACK_RCE, REQUEST_933_APPLICATION_ATTACK_PHP, REQUEST_934_APPLICATION_ATTACK_GENERIC, REQUEST_941_APPLICATION_ATTACK_XSS, REQUEST_942_APPLICATION_ATTACK_SQLI, REQUEST_943_APPLICATION_ATTACK_SESSION_FIXATION, REQUEST_944_APPLICATION_ATTACK_JAVA |
false |
| enabledResponseRules | []enum |
Set of response rule classes (default is to include no rules, rules RESPONSE_959_BLOCKING_EVALUATION and RESPONSE_980_CORRELATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.18.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: RESPONSE_950_DATA_LEAKAGES, RESPONSE_951_DATA_LEAKAGES_SQL, RESPONSE_952_DATA_LEAKAGES_JAVA, RESPONSE_953_DATA_LEAKAGES_PHP, RESPONSE_954_DATA_LEAKAGES_IIS, RESPONSE_955_WEB_SHELLS, RESPONSE_956_DATA_LEAKAGES_RUBY |
false |
| mode | enum |
Mode (DETECT = traffic identified as suspicious is logged but not blocked; BLOCK = traffic identified as suspicious is blocked) Enum: BLOCK, DETECT Default: BLOCK |
false |
| paranoiaLevel | integer |
Paranoia level (the higher the level the better the protection but also more likely false positives, see OWASP CRS for details) Default: 1 Minimum: 1 Maximum: 4 |
false |
| requestRuleExceptions | []object |
Conditionally disable request rules to avoid false positive alerts/blocks |
false |
| responseRuleExceptions | []object |
Conditionally disable response rules to avoid false positive alerts/blocks |
false |
| securityLevel | integer |
Defines under which conditions suspicious requests are blocked; only has an effect if the mode is set to BLOCK (security level 5 blocks already if 1 (or more) critical anomalies, 4 if 2, 3 if 3, 2 if 5, 1 if 10) Default: 5 Minimum: 1 Maximum: 5 |
false |
CoreWaapService.spec.coraza.crs.customRequestBlockingRules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Rule name |
true |
| secLangExpression | string |
SecLang expression. Rule id range must be [300000,399999] |
true |
CoreWaapService.spec.coraza.crs.requestRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent'; only has an effect if request rule exception) |
false |
| requestPartType | enum |
Request part type (only has an effect if request rule exception) Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
| ruleId | integer |
(deprecated, use ruleIds instead) Rule ID |
false |
| ruleIds | []integer |
A list of Rule IDs (required if ruleId is not specified and must then contain at least one rule ID) |
false |
CoreWaapService.spec.coraza.crs.requestRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.coraza.crs.responseRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent'; only has an effect if request rule exception) |
false |
| requestPartType | enum |
Request part type (only has an effect if request rule exception) Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
| ruleId | integer |
(deprecated, use ruleIds instead) Rule ID |
false |
| ruleIds | []integer |
A list of Rule IDs (required if ruleId is not specified and must then contain at least one rule ID) |
false |
CoreWaapService.spec.coraza.crs.responseRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.coraza.graphql
GraphQL settings
| Name | Type | Description | Required |
|---|---|---|---|
| configs | []object |
Config settings for referencing by name on individual routes |
false |
CoreWaapService.spec.coraza.graphql.configs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name to reference in routes |
true |
| schemaSource | object |
Source for the GraphQL schema to apply (via config map) |
true |
| allowIntrospection | boolean |
Whether to allow introspection calls (these could help an attacker, while some use cases need access) Default: false |
false |
| queryThresholds | object |
Thresholds for queries (e.g. nesting depth) |
false |
CoreWaapService.spec.coraza.graphql.configs[index].schemaSource
Source for the GraphQL schema to apply (via config map)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the file |
true |
| key | string |
Key in the config map that contains the file, and also the name of the file |
true |
CoreWaapService.spec.coraza.graphql.configs[index].queryThresholds
Thresholds for queries (e.g. nesting depth)
| Name | Type | Description | Required |
|---|---|---|---|
| batchSize | integer |
Maximum batch size to allow Default: 5 Minimum: 1 |
false |
| complexity | integer |
Maximum complexity to allow Default: 20 Minimum: 1 |
false |
| depth | integer |
Maximum nesting depth to allow Default: 5 Minimum: 1 |
false |
CoreWaapService.spec.corsPolicy
Global CORS protection (default off); any legal OPTIONS requests will be responded to directly by Core WAAP and will not be passed on to backends; other requests will not be responded to directly, but if they are accepted CORS requests that match configured allowed origins, Core WAAP will add the related headers to the response
| Name | Type | Description | Required |
|---|---|---|---|
| allowedOrigins | []string |
Allowed origins, specified as '{hostname}[:{port}]' (no scheme!); must correspond to the request target. |
true |
| allowCredentials | boolean |
Specifies whether the resource allows credentials. Default: false |
false |
| allowHeaders | string |
Specifies the content for the "access-control-allow-headers" header. |
false |
| allowMethods | string |
Specifies the content for the "access-control-allow-methods" header. |
false |
| allowPrivateNetworkAccess | boolean |
Specify whether allow requests whose target server's IP address is more private than that from which the request initiator was fetched. Default: false |
false |
| enabled | boolean |
Whether the filter should be enforced or not. Default: false |
false |
| exposeHeaders | string |
Specifies the content for the "access-control-expose-headers" header. |
false |
| forwardNotMatchingPreflights | boolean |
Specifies if preflight requests not matching the configured allowed origin should be forwarded to the upstream. Default: true |
false |
| maxAge | string |
Specifies the content for the "access-control-max-age" header. |
false |
CoreWaapService.spec.crs
DEPRECATED, use spec.coraza settings instead. OWASP Core Rule Set (CRS) settings (version 4.18.0)
| Name | Type | Description | Required |
|---|---|---|---|
| customRequestBlockingRules | []object |
DEPRECATED, use spec.coraza settings instead. Custom request blocking rules |
false |
| enabledRequestRules | []enum |
DEPRECATED, use spec.coraza settings instead. Set of request rule classes (default is to include all rules, rules REQUEST_901_INITIALIZATION and REQUEST_949_BLOCKING_EVALUATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.18.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: REQUEST_913_SCANNER_DETECTION, REQUEST_920_PROTOCOL_ENFORCEMENT, REQUEST_921_PROTOCOL_ATTACK, REQUEST_922_MULTIPART_ATTACK, REQUEST_930_APPLICATION_ATTACK_LFI, REQUEST_931_APPLICATION_ATTACK_RFI, REQUEST_932_APPLICATION_ATTACK_RCE, REQUEST_933_APPLICATION_ATTACK_PHP, REQUEST_934_APPLICATION_ATTACK_GENERIC, REQUEST_941_APPLICATION_ATTACK_XSS, REQUEST_942_APPLICATION_ATTACK_SQLI, REQUEST_943_APPLICATION_ATTACK_SESSION_FIXATION, REQUEST_944_APPLICATION_ATTACK_JAVA |
false |
| enabledResponseRules | []enum |
DEPRECATED, use spec.coraza settings instead. Set of response rule classes (default is to include no rules, rules RESPONSE_959_BLOCKING_EVALUATION and RESPONSE_980_CORRELATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.18.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: RESPONSE_950_DATA_LEAKAGES, RESPONSE_951_DATA_LEAKAGES_SQL, RESPONSE_952_DATA_LEAKAGES_JAVA, RESPONSE_953_DATA_LEAKAGES_PHP, RESPONSE_954_DATA_LEAKAGES_IIS, RESPONSE_955_WEB_SHELLS, RESPONSE_956_DATA_LEAKAGES_RUBY |
false |
| mode | enum |
DEPRECATED, use spec.coraza settings instead. Mode (BLOCK = traffic identified as suspicious is blocked; DETECT = traffic identified as suspicious is logged but not blocked; DISABLED = traffic is not inspected); note that if no spec.crs is defined, the default will be DISABLED (not BLOCK) Enum: BLOCK, DETECT, DISABLED Default: BLOCK |
false |
| paranoiaLevel | integer |
DEPRECATED, use spec.coraza settings instead. Paranoia level (the higher the level the better the protection but also more likely false positives, see OWASP CRS for details) Default: 1 Minimum: 1 Maximum: 4 |
false |
| parseJson | boolean |
DEPRECATED, use spec.coraza settings instead. Whether to apply CRS protection rules for JSON payloads or not Default: true |
false |
| parseXml | boolean |
DEPRECATED, use spec.coraza settings instead. Whether to apply CRS protection rules for XML payloads or not Default: true |
false |
| requestBodyAccess | boolean |
DEPRECATED, use spec.coraza settings instead. Whether to scan request bodies or not (if this setting is disabled, POST parameters and other content submitted in the request body will not be inspected) Default: true |
false |
| requestBodyAccessExceptions | []object |
DEPRECATED, use spec.coraza settings instead. Request body parsing exceptions (locations to exclude from parsing, typically for file uploads) |
false |
| requestBodyLimitKb | integer |
DEPRECATED, use spec.coraza settings instead. Request body limit in KB, body bytes beyond the limit are not parsed (max 1048576 KB (1 GB)) Default: 128 Minimum: 0 Maximum: 1.048576e+06 |
false |
| requestRuleExceptions | []object |
DEPRECATED, use spec.coraza settings instead. Conditionally disable request rules to avoid false positive alerts/blocks |
false |
| responseBodyLimitKb | integer |
DEPRECATED, use spec.coraza settings instead. Response body limit in KB, body bytes beyond the limit are not parsed Default: 256 Minimum: 0 Maximum: 1.048576e+06 |
false |
| responseRuleExceptions | []object |
DEPRECATED, use spec.coraza settings instead. Conditionally disable response rules to avoid false positive alerts/blocks |
false |
| securityLevel | integer |
DEPRECATED, use spec.coraza settings instead. Defines under which conditions suspicious requests are blocked; only has an effect if the mode is set to BLOCK (security level 5 blocks already if 1 (or more) critical anomalies, 4 if 2, 3 if 3, 2 if 5, 1 if 10) Default: 5 Minimum: 1 Maximum: 5 |
false |
| validateJson | boolean |
DEPRECATED, use spec.coraza settings instead. Special rule which checks the syntax of JSON requests (if the syntax is invalid and the current mode is BLOCK, such requests are blocked) Default: true |
false |
CoreWaapService.spec.crs.customRequestBlockingRules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Rule name |
true |
| secLangExpression | string |
SecLang expression. Rule id range must be [300000,399999] |
true |
CoreWaapService.spec.crs.requestBodyAccessExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
DEPRECATED, use spec.coraza settings instead. Location for which to skip request body parsing |
true |
| methods | []enum |
DEPRECATED, use spec.coraza settings instead. HTTP method(s) for which to skip request body parsing (at least one must be defined) Enum: ACL, BIND, CHECKOUT, CONNECT, COPY, DELETE, GET, HEAD, LINK, LOCK, MERGE, MKACTIVITY, MKCALENDAR, MKCOL, MOVE, MSEARCH, NOTIFY, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PURGE, PUT, REBIND, REPORT, SEARCH, SOURCE, SUBSCRIBE, TRACE, UNBIND, UNLINK, UNLOCK, UNSUBSCRIBE |
true |
| regEx | boolean |
DEPRECATED, use spec.coraza settings instead. Whether the location is indicated as a regex or not Default: false |
false |
CoreWaapService.spec.crs.requestRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent'; only has an effect if request rule exception) |
false |
| requestPartType | enum |
Request part type (only has an effect if request rule exception) Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
| ruleId | integer |
(deprecated, use ruleIds instead) Rule ID |
false |
| ruleIds | []integer |
A list of Rule IDs (required if ruleId is not specified and must then contain at least one rule ID) |
false |
CoreWaapService.spec.crs.requestRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.crs.responseRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent'; only has an effect if request rule exception) |
false |
| requestPartType | enum |
Request part type (only has an effect if request rule exception) Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
| ruleId | integer |
(deprecated, use ruleIds instead) Rule ID |
false |
| ruleIds | []integer |
A list of Rule IDs (required if ruleId is not specified and must then contain at least one rule ID) |
false |
CoreWaapService.spec.crs.responseRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.csrfPolicy
Global CSRF protection (default on); detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target; if the origin does not match the target and is not allowed specifically, the request will be blocked
| Name | Type | Description | Required |
|---|---|---|---|
| additionalOrigins | []string |
Additional allowed origin values, specified as '{hostname}[:{port}]' (no scheme!); must correspond to the request target. |
false |
| enabled | boolean |
Whether CSRF protection is enabled or not Default: true |
false |
CoreWaapService.spec.headerFiltering
Global header filtering (default is allow standard headers only)
| Name | Type | Description | Required |
|---|---|---|---|
| logOnly | boolean |
Whether header filtering should only log potentially blocked headers Default: false |
false |
| request | object |
Request header filtering |
false |
| response | object |
Response header filtering |
false |
CoreWaapService.spec.headerFiltering.request
Request header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
List of allowed header names in addition to ones in allowClass |
false |
| allowClass | enum |
A common preset of allowed headers. Values: MINIMAL, STANDARD, RESTRICTED Enum: MINIMAL, RESTRICTED, STANDARD Default: STANDARD |
false |
| deny | []object |
List of denied header names; applied after allowClass & allow |
false |
| enabled | boolean |
Whether request header filtering is enabled or not Default: true |
false |
CoreWaapService.spec.headerFiltering.request.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Denied header name; '*' could be used in conjunction with non-blank valuePattern to match all header names |
false |
| valuePattern | string |
Lua pattern for denied header value (see https://www.lua.org/pil/20.2.html) |
false |
CoreWaapService.spec.headerFiltering.response
Response header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
List of allowed header names |
false |
| deny | []string |
List of denied header names; applied after allow |
false |
| enabled | boolean |
Whether response header filtering is enabled or not Default: true |
false |
CoreWaapService.spec.lua
Lua filters settings (filter scripts plus helper scripts/files)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the Lua filter scripts and helper files (must be defined if any Lua filters or helper files are defined) |
false |
| filters | []object |
Lua filter scripts; will be run in the order listed here if referenced in routes |
false |
| helpers | []object |
Helper files that will be mounted in parallel to the Lua filter scripts; usually Lua utility scripts, but can be any file type |
false |
CoreWaapService.spec.lua.filters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Script name used both to reference in routes and as mounted filename and also the key in the 'spec.lua.configMap', must end with '.lua' |
true |
CoreWaapService.spec.lua.helpers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of file to mount in parallel to Lua filter scripts and also the key in the 'spec.lua.configMap' |
true |
CoreWaapService.spec.operation
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image/version fields must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity]
| Name | Type | Description | Required |
|---|---|---|---|
| adminInterfaceService | object |
Settings for exposing the Envoy admin interface as a Kubernetes service |
false |
| affinity | object |
Kubernetes affinity for the Core Waap pod |
false |
| auth | object |
Settings related to OAuth2/OpenID Connect |
false |
| bufferLimitBytes | integer |
Maximum body size for processing requests and responses (Envoy's perConnectionBufferLimitBytes on listener, plus also affects buffers for traffic processing in transferMode BUFFERED; also make sure that Coraza body limits are set accordingly) Default: 1048576 |
false |
| caCertificates | object |
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container) |
false |
| image | string |
Core WAAP container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap' (must be defined either in spec or operator defaults) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| labels | map[string]string |
Map of key/value labels for the pod |
false |
| metrics | object |
Settings for exposing Metrics endpoint as a Kubernetes service |
false |
| port | integer |
Port of the Kubernetes service and Envoy listener in the Core WAAP container Default: 8080 Minimum: 1 Maximum: 65535 |
false |
| priorityClassName | string |
Kubernetes priorityClassName for the Core Waap pod |
false |
| replicas | integer |
Number of replicas (default is not managed by operator) Minimum: 1 |
false |
| resources | object |
Kubernetes resources for the Core Waap pod |
false |
| serviceAccount | object |
Service account |
false |
| serviceAnnotations | map[string]string |
Map of key/value annotations for the service |
false |
| startup | object |
Settings for Envoy startup (mostly command line options, see https://www.envoyproxy.io/docs/envoy/latest/operations/cli) |
false |
| tolerations | []object |
Kubernetes tolerations for the Core Waap pod |
false |
| version | string |
Core WAAP container (image) version, e.g. '1.1.5' (must be defined either in spec or operator defaults) |
false |
| xffNumTrustedHops | integer |
The number of proxy hops in front of the Core WAAP to trust, i.e. the number of proxies from the right side of the X-Forwarded-For HTTP header to trust when determining the origin client???s IP address Default: 0 Minimum: 0 |
false |
CoreWaapService.spec.operation.adminInterfaceService
Settings for exposing the Envoy admin interface as a Kubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether the Envoy admin interface should be exposed as Kubernetes service Default: false |
false |
| port | integer |
Port of the Kubernetes service (if enabled) and Envoy admin interface listener in the Core WAAP container Default: 9901 Minimum: 1 Maximum: 65535 |
false |
CoreWaapService.spec.operation.affinity
Kubernetes affinity for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| nodeAffinity | object |
|
false |
| podAffinity | object |
|
false |
| podAntiAffinity | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| preference | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution
| Name | Type | Description | Required |
|---|---|---|---|
| nodeSelectorTerms | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index]
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.auth
Settings related to OAuth2/OpenID Connect
| Name | Type | Description | Required |
|---|---|---|---|
| tokenEncryption | boolean |
Whether to encrypt OAuth2/OpenID Connect tokens in session cookies or not (normally only turned off temporarily for integration or analysis of issues; logs a warning if set to false to help prevent accidental deactivation) Default: true |
false |
CoreWaapService.spec.operation.caCertificates
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the CA certificates |
true |
| key | string |
Key (as in 'YAML key/value pair') in the config map that contains the CA certificates |
true |
CoreWaapService.spec.operation.metrics
Settings for exposing Metrics endpoint as a Kubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether metrics sidecar is enabled or not Default: false |
false |
| image | string |
Metrics sidecar container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap-metrics' (must be defined either in spec or operator defaults per traffic processor type) |
false |
| pollIntervalSeconds | integer |
Interval (in seconds) between sending metrics requests to the Envoy and traffic processors Default: 60 Minimum: 1 Maximum: 86400 |
false |
| port | integer |
Port of the metrics Kubernetes service Default: 9801 Minimum: 1 Maximum: 65535 |
false |
| resources | object |
Kubernetes resources for the metrics sidecar container |
false |
| version | string |
Metrics sidecar container (image) version, e.g. '1.0.1' (must be defined either in spec or operator defaults per traffic processor type) |
false |
CoreWaapService.spec.operation.metrics.resources
Kubernetes resources for the metrics sidecar container
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.operation.metrics.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.operation.resources
Kubernetes resources for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.operation.serviceAccount
Service account
| Name | Type | Description | Required |
|---|---|---|---|
| automountToken | boolean |
Whether to automount the token for the service account Default: true |
false |
| name | string |
Service account name Default: default |
false |
CoreWaapService.spec.operation.startup
Settings for Envoy startup (mostly command line options, see https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
| Name | Type | Description | Required |
|---|---|---|---|
| additionalCliArgs | string |
Additional command line arguments for Envoy |
false |
| componentLogLevel | string |
Envoy log level per component in the form '{comp1}:{level1},{comp2}:{level2}', e.g. 'http:debug,connection:trace', if not set defaults implicitly to empty, command line option '--component-log-level' |
false |
| concurrency | integer |
The number of worker threads to run, if not set defaults implicitly to the number of hardware threads on the machine, command line option '--concurrency' Minimum: 1 |
false |
| logLevel | enum |
Envoy global log level; if not set defaults implicitly to level info, command line option '--log-level' Enum: critical, debug, error, info, off, trace, warn, warning |
false |
CoreWaapService.spec.operation.tolerations[index]
| Name | Type | Description | Required |
|---|---|---|---|
| effect | string |
|
false |
| key | string |
|
false |
| operator | string |
|
false |
| tolerationSeconds | integer |
|
false |
| value | string |
|
false |
CoreWaapService.spec.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.trafficProcessing
Traffic processing settings (e.g. for ICAP Anti-Virus scanning)
| Name | Type | Description | Required |
|---|---|---|---|
| icap | []object |
Traffic processing settings for type ICAP (Internet Content Adaptation Protocol); ICAP is typically used for Anti-Virus scanning of HTTP request bodies; currently only validation of the HTTP request body is supported (ICAP REQMOD) (no modifications to the scanned body, no validation of HTTP responses |
false |
| openapi | []object |
Traffic processing settings for type OPENAPI; OPENAPI is used for request/response validation against an OpenAPI schema |
false |
CoreWaapService.spec.trafficProcessing.icap[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object |
Validation configuration for the sidecar |
true |
| name | string |
Name to reference in routes under trafficProcessingRefs |
true |
| extProc | object |
External processing related settings, i.e. settings for the callout to the ICAP sidecar |
false |
| operation | object |
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is e.g. 'icap') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec] |
false |
CoreWaapService.spec.trafficProcessing.icap[index].config
Validation configuration for the sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| url | string |
ICAP URL including protocol and port (e.g. 'icap://some.host:1344/some/path', use 'icaps://' for TLS) |
true |
CoreWaapService.spec.trafficProcessing.icap[index].extProc
External processing related settings, i.e. settings for the callout to the ICAP sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| additionalCliArgs | string |
Additional command line arguments for the external service |
false |
| messageTimeout | string |
Message timeout for extProc callouts essentially in Kubernetes format (e.g. '30s', defaults to Envoy's default of 200ms) |
false |
| transferMode | enum |
Transfer mode (icap supports BUFFERED and STREAMED; openapi supports only BUFFERED); in BUFFERED mode body size is limited to operator.bufferLimitBytes, while in STREAMED mode, data is streamed in chunks, which, depending on the backend's specific implementation, might cause data to be processed or stored on the backend, even if validation fails in the end Enum: BUFFERED, STREAMED Default: BUFFERED |
false |
CoreWaapService.spec.trafficProcessing.icap[index].operation
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is e.g. 'icap') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec]
| Name | Type | Description | Required |
|---|---|---|---|
| image | string |
Traffic processor sidecar container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap-ext-proc-icap' (must be defined either in spec or operator defaults per traffic processor type) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| resources | object |
Kubernetes resources for the sidecar container |
false |
| version | string |
Traffic processor sidecar container (image) version, e.g. '1.0.1' (must be defined either in spec or operator defaults per traffic processor type) |
false |
CoreWaapService.spec.trafficProcessing.icap[index].operation.resources
Kubernetes resources for the sidecar container
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.trafficProcessing.icap[index].operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.trafficProcessing.openapi[index]
| Name | Type | Description | Required |
|---|---|---|---|
| config | object |
Validation configuration for the sidecar |
true |
| name | string |
Name to reference in routes under trafficProcessingRefs |
true |
| extProc | object |
External processing related settings, i.e. settings for the callout to the OpenAPI sidecar |
false |
| operation | object |
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is 'openapi') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec] |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].config
Validation configuration for the sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| schemaSource | object |
Source of the schema that will be used for validation |
true |
| scope | object |
Validation scope settings |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].config.schemaSource
Source of the schema that will be used for validation
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the file |
true |
| key | string |
Key in the config map that contains the file, and also the name of the file |
true |
CoreWaapService.spec.trafficProcessing.openapi[index].config.scope
Validation scope settings
| Name | Type | Description | Required |
|---|---|---|---|
| logOnly | boolean |
Indicates that validation won't fail, but only be logged Default: false |
false |
| requestBody | boolean |
Indicates that request body will be validated Default: true |
false |
| responseBody | boolean |
Indicates that response body will be validated Default: false |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].extProc
External processing related settings, i.e. settings for the callout to the OpenAPI sidecar
| Name | Type | Description | Required |
|---|---|---|---|
| additionalCliArgs | string |
Additional command line arguments for the external service |
false |
| messageTimeout | string |
Message timeout for extProc callouts essentially in Kubernetes format (e.g. '30s', defaults to Envoy's default of 200ms) |
false |
| transferMode | enum |
Transfer mode (icap supports BUFFERED and STREAMED; openapi supports only BUFFERED); in BUFFERED mode body size is limited to operator.bufferLimitBytes, while in STREAMED mode, data is streamed in chunks, which, depending on the backend's specific implementation, might cause data to be processed or stored on the backend, even if validation fails in the end Enum: BUFFERED, STREAMED Default: BUFFERED |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].operation
Operation related settings to be used for Kubernetes deployment of the respective traffic processing sidecar (optional, except that the operation's image/version fields must be set in the spec at 'trafficProcessing.{type}.operation' or via default in the operator config at 'waapSpecTrafficProcessingDefaults.{type}', where '{type}' is 'openapi') [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec]
| Name | Type | Description | Required |
|---|---|---|---|
| image | string |
Traffic processor sidecar container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap-ext-proc-icap' (must be defined either in spec or operator defaults per traffic processor type) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| resources | object |
Kubernetes resources for the sidecar container |
false |
| version | string |
Traffic processor sidecar container (image) version, e.g. '1.0.1' (must be defined either in spec or operator defaults per traffic processor type) |
false |
CoreWaapService.spec.trafficProcessing.openapi[index].operation.resources
Kubernetes resources for the sidecar container
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.trafficProcessing.openapi[index].operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.webResources
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the web resources |
true |
| path | string |
Path where static pages will be served (must begin and end with /) |
true |
| errorPages | []object |
List of error pages to serve (allows dynamic content, e.g. %PROTOCOL%) |
false |
| staticFiles | []object |
List of static file resources to serve (no dynamic content) |
false |
CoreWaapService.spec.webResources.errorPages[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
| statusCode | string |
Status code to apply to (also allows to e.g. use '4xx' for all client errors 400-499) |
true |
| mappedStatusCode | integer |
Status code to send to client (defaults to upstream status code) |
false |
CoreWaapService.spec.webResources.staticFiles[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
CoreWaapService.status
| Name | Type | Description | Required |
|---|---|---|---|
| status | string |
|
false |
| warnings | []string |
|
false |