API Reference
Packages:
waap.core.u-s-p.ch/v1alpha1
Resource Types:
CoreWaapService
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | waap.core.u-s-p.ch/v1alpha1 | true |
| kind | string | CoreWaapService | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
|
false |
| status | object |
|
false |
CoreWaapService.spec
| Name | Type | Description | Required |
|---|---|---|---|
| routes | []object |
List of routes to backends (at least one route must be defined) |
true |
| authentications | []object |
List of authentications (OpenID Connect / OAuth 2.0 clients and/or JWT validations) |
false |
| coraza | object |
Coraza filter settings for Core Rule Set (CRS) and GraphQL validations |
false |
| corsPolicy | object |
Global CORS protection (default off); any legal OPTIONS requests will be responded to directly by Core WAAP and will not be passed on to backends; other requests will not be responded to directly, but if they are accepted CORS requests that match configured allowed origins, Core WAAP will add the related headers to the response |
false |
| csrfPolicy | object |
Global CSRF protection (default on); detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target; if the origin does not match the target and is not allowed specifically, the request will be blocked |
false |
| headerFilter | object |
Header filter settings; active by default with default sets of allowed request and response headers |
false |
| hostnames | []string |
List of hostnames (append ports with ':', default is wildcard '*') |
false |
| icap | []object |
ICAP settings (Internet Content Adaptation Protocol); ICAP is typically used for Anti-Virus scanning of HTTP request bodies; currently only validation of the HTTP request body is supported (ICAP REQMOD) (no modifications to the scanned body, no validation of HTTP responses) (note that ICAP validation is done after OpenAPI validation) |
false |
| lua | object |
Lua filters settings (filter scripts plus helper scripts/files) |
false |
| nativeConfigPostProcessing | []string |
JavaScripts for post-processing generated Envoy config |
false |
| openapi | []object |
OpenAPI settings; OpenAPI is used for request/response validation against an OpenAPI schema (note that OpenAPI validation is done before ICAP validation) |
false |
| operation | object |
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image/version fields must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity] |
false |
| originBlocking | object |
Origin blocking |
false |
| rateLimiting | object |
Rate limiting settings |
false |
| webResources | object |
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content |
false |
| websocket | boolean |
Allow websocket Default: false |
false |
CoreWaapService.spec.routes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Backend |
true |
| match | object |
Matching criteria |
true |
| auth | object |
Authentication |
false |
| autoHostRewrite | boolean |
Indicates that during forwarding, the host header will be swapped with the hostname of the upstream host Default: true |
false |
| coraza | object |
Coraza settings per route, including CRS and GraphQL |
false |
| headerFilterRef | string |
Optional reference to a header filter defined under spec.headerFilter.filters |
false |
| icapRefs | []string |
References to ICAP; processing order is in the order listed under spec.icap |
false |
| luaRefs | object |
References to Lua filters |
false |
| openapiRefs | []string |
References to OpenAPI; processing order is in the order listed under spec.openapi |
false |
CoreWaapService.spec.routes[index].backend
Backend
| Name | Type | Description | Required |
|---|---|---|---|
| address | string |
Backend hostname or IP |
true |
| port | integer |
Backend port number Minimum: 1 Maximum: 65535 |
true |
| protocol | object |
Protocol |
false |
| tls | object |
TLS |
false |
CoreWaapService.spec.routes[index].backend.protocol
Protocol
| Name | Type | Description | Required |
|---|---|---|---|
| selection | enum |
Selection of upstream protocol (h2 uses HTTP/2, h1 uses HTTP/1.1, auto negotiates the protocol using ALPN (requires TLS) with HTTP/2 preferred and HTTP/1.1 as fallback) Enum: auto, h1, h2 Default: h2 |
false |
CoreWaapService.spec.routes[index].backend.tls
TLS
| Name | Type | Description | Required |
|---|---|---|---|
| checkCertificates | boolean |
Check trusted certificates and SAN Default: true |
false |
| enabled | boolean |
Enable TLS Default: false |
false |
CoreWaapService.spec.routes[index].match
Matching criteria
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path (depending on pathType either a regex or a prefix) |
true |
| filters | object |
Filters |
false |
| headers | []object |
List of header matchers (logical AND between header matchers and with path) |
false |
| pathType | enum |
Path type Enum: PREFIX, REGEX Default: REGEX |
false |
CoreWaapService.spec.routes[index].match.filters
Filters
| Name | Type | Description | Required |
|---|---|---|---|
| allowedMethods | []enum |
Allowed http methods (all methods allowed if not specified) Enum: ACL, BIND, CHECKOUT, CONNECT, COPY, DELETE, GET, HEAD, LINK, LOCK, MERGE, MKACTIVITY, MKCALENDAR, MKCOL, MOVE, MSEARCH, NOTIFY, OPTIONS, PATCH, POST, PROPFIND, PROPPATCH, PURGE, PUT, REBIND, REPORT, SEARCH, SOURCE, SUBSCRIBE, TRACE, UNBIND, UNLINK, UNLOCK, UNSUBSCRIBE |
false |
| originBlocking | object |
Origin blocking |
false |
| rewrite | object |
Rewrite request |
false |
CoreWaapService.spec.routes[index].match.filters.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.routes[index].match.filters.rewrite
Rewrite request
| Name | Type | Description | Required |
|---|---|---|---|
| url | object |
URL to set upstream |
false |
CoreWaapService.spec.routes[index].match.filters.rewrite.url
URL to set upstream
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path to rewrite (if regex path can use \1, \2 etc. to replace matched regex groups) |
true |
CoreWaapService.spec.routes[index].match.headers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Request header name (supported are regular header names as well as the pseudo-headers ':authority' and ':method') |
true |
| value | string |
Request header value (exact match of full string or regex match) |
true |
| valueType | enum |
Value type Enum: EXACT, REGEX Default: EXACT |
false |
CoreWaapService.spec.routes[index].auth
Authentication
| Name | Type | Description | Required |
|---|---|---|---|
| ref | string |
Reference to name of corresponding authentication setting |
true |
CoreWaapService.spec.routes[index].coraza
Coraza settings per route, including CRS and GraphQL
| Name | Type | Description | Required |
|---|---|---|---|
| crs | object |
OWASP Core Rule Set (CRS) settings per route |
false |
| enabled | boolean |
Whether to enable Coraza for the route or not Default: true |
false |
| graphql | object |
GraphQL settings per route |
false |
CoreWaapService.spec.routes[index].coraza.crs
OWASP Core Rule Set (CRS) settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether to enable Coraza CRS for the route or not, effective default is spec.coraza.crs.defaultEnabled |
false |
| skipBody | boolean |
Whether to skip request body validation or not (requestBodyAccess on/off) Default: false |
false |
CoreWaapService.spec.routes[index].coraza.graphql
GraphQL settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether to enable Coraza GraphQL for the route or not Default: false |
false |
| mode | enum |
Mode (DETECT = traffic identified as suspicious is logged but not blocked; BLOCK = traffic identified as suspicious is blocked) Enum: BLOCK, DETECT Default: BLOCK |
false |
| ref | string |
Reference to name of corresponding GraphQL setting; required if GraphQL is enabled on the route |
false |
CoreWaapService.spec.routes[index].luaRefs
References to Lua filters
| Name | Type | Description | Required |
|---|---|---|---|
| first | []string |
Lua filters to run first, i.e. before other types of filters (more precisely, run first for request and run last for response); Lua filters listed here are run in the order defined under spec.lua |
false |
| last | []string |
Lua filters to run last, i.e. after other types of filters (more precisely, run last for request and run first for response); Lua filters listed here are run in the order defined under spec.lua |
false |
CoreWaapService.spec.authentications[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Settings for propagation to backend |
true |
| jwksEndpoint | string |
OIDC JWKS endpoint URL, offers credentials to verify JWTs (normally use https) |
true |
| name | string |
Name to reference in routes |
true |
| audiences | []string |
List of accepted JWT audiences (if none is specified the JWT is not matched against the audience list) |
false |
| authorizationEndpoint | string |
OIDC OP authorization endpoint URL (omit to mark JWT-only authentication; note that tokenEndpoint and credentials must always also be defined resp. omitted accordingly) |
false |
| credentials | object |
OIDC credentials (client_id and client_secret, omit if only using JWT validation) |
false |
| denyRedirectMatcher | object |
If set, converts 302 redirect responses to 401 unauthorized responses for clients that should not handle redirects, typically Single-Page Applications (SPAs) that use JavaScript (note that if set, the configured (or default) header must also be whitelisted in the request header filter) |
false |
| endSessionEndpoint | string |
Optional OIDC OP endpoint URL to end the session at the OP (logout at OP); note that logout is initiated at '/core-waap/oauth/{spec.authentications[].name}/signout', which always logs out the client (i.e. the Core WAAP itself), plus, if an end session endpoint is defined in this setting here, subsequently also attempts to log out at the OP |
false |
| issuer | string |
OIDC OP issuer (mandatory for OIDC authentication, optional if JWT-only authentication) |
false |
| scopes | []string |
List of scopes to be claimed in the authorization request |
false |
| tokenEndpoint | string |
OIDC OP token endpoint URL (omit if JWT-only authentication) |
false |
| tokenEndpointAuthType | enum |
How to pass the client_id to the OP (BODY for URL-encoded body parameter, BASIC for basic auth) Enum: BASIC, BODY Default: BODY |
false |
| useRefreshToken | boolean |
Whether to allow automatic access token refresh using the associated refresh token Default: false |
false |
CoreWaapService.spec.authentications[index].backend
Settings for propagation to backend
| Name | Type | Description | Required |
|---|---|---|---|
| forwardJwt | boolean |
Whether to forward the JWT to the upstream server; if OIDC authentication is configured this option will be ignored Default: true |
false |
| jwtClaimToHeader | []object |
Translations of JWT claims to HTTP headers |
false |
CoreWaapService.spec.authentications[index].backend.jwtClaimToHeader[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string |
Claim to set as header |
true |
| headerName | string |
Name of the header to set to the claim |
true |
CoreWaapService.spec.authentications[index].credentials
OIDC credentials (client_id and client_secret, omit if only using JWT validation)
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string |
OIDC client_id |
true |
| clientSecret | string |
OIDC client_secret by value (either this or clientSecretRef is mandatory) |
false |
| clientSecretRef | string |
OIDC client_secret via reference to Kubernetes secret (recommended, either this or clientSecret is mandatory) |
false |
| hmacSecret | string |
HMAC secret by value (either this or hmacSecretRef is mandatory) |
false |
| hmacSecretRef | string |
HMAC secret via reference to Kubernetes secret (recommended, either this or hmacSecret is mandatory) |
false |
CoreWaapService.spec.authentications[index].denyRedirectMatcher
If set, converts 302 redirect responses to 401 unauthorized responses for clients that should not handle redirects, typically Single-Page Applications (SPAs) that use JavaScript (note that if set, the configured (or default) header must also be whitelisted in the request header filter)
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether response mapping is enabled or not Default: false |
false |
| expectedHeaderValue | string |
Header value Default: empty |
false |
| headerName | string |
Header name Default: Sec-Fetch-Dest |
false |
| headerValueType | enum |
Whether to match the exact value or to treat the value as a REGEX Enum: EXACT, REGEX Default: EXACT |
false |
CoreWaapService.spec.coraza
Coraza filter settings for Core Rule Set (CRS) and GraphQL validations
| Name | Type | Description | Required |
|---|---|---|---|
| crs | object |
OWASP Core Rule Set (CRS) settings (version 4.18.0) |
false |
| debugLogLevel | integer |
Debug log level (0:off 1:error 2:warn 3:info 4-8:debug, 9:trace) Default: 0 |
false |
| enabled | boolean |
Enables the Coraza filter; must be enabled if any CRS or GraphQL validations should be done; if set to false here (or at 'spec.routes[].coraza.enabled'), the coraza filter is not inserted globally (resp. at that route) Default: true |
false |
| graphql | object |
GraphQL settings |
false |
| parseJson | boolean |
Whether to apply CRS protection rules for JSON payloads or not; must be true if GraphQL is enabled on any route Default: true |
false |
| parseXml | boolean |
Whether to apply CRS protection rules for XML payloads or not Default: true |
false |
| requestBodyAccess | boolean |
Whether to scan request bodies or not, must be true if GraphQL is enabled on any route (if this setting is disabled, POST parameters and other content submitted in the request body will not be inspected) Default: true |
false |
| requestBodyLimitAction | enum |
How to handle requests with a larger body than specified in coraza.requestBodyLimitKb (ProcessPartial = validate request body up to limit, let additional bytes through unchecked; Reject = reject request if body is larger than limit) Enum: ProcessPartial, Reject Default: ProcessPartial |
false |
| requestBodyLimitKb | integer |
Request body limit in KB, body bytes beyond the limit are not parsed (also make sure that operation.bufferLimitBytes is set accordingly) Default: 128 Minimum: 0 Maximum: 1.048576e+06 |
false |
| responseBodyAccess | boolean |
Whether to scan response bodies or not; only allowed to set to false if coraza.crs.enabledResponseRules is empty (GraphQL does so far not parse response bodies, the backend is trusted) Default: false |
false |
| responseBodyLimitAction | enum |
How to handle responses with a larger body than specified in coraza.responseBodyLimitKb (ProcessPartial = validate response body up to limit, let additional bytes through unchecked; Reject = reject response if body is larger than limit) Enum: ProcessPartial, Reject Default: ProcessPartial |
false |
| responseBodyLimitKb | integer |
Response body limit in KB, body bytes beyond the limit are not parsed(also make sure that operation.bufferLimitBytes is set accordingly) Default: 256 Minimum: 0 Maximum: 1.048576e+06 |
false |
| useLibinjection | boolean |
When enabled, coraza uses libinjection instead of the default implementation Default: true |
false |
| useRe2 | boolean |
When enabled, coraza uses the RE2 regex engine instead of the default implementation Default: true |
false |
| validateJson | boolean |
Special rule which checks the syntax of JSON requests (if the syntax is invalid and the current mode is BLOCK, such requests are blocked); if set to true, across all routes with effectively enabled CRS and/or GraphQL only either mode BLOCK or DETECT must be used Default: true |
false |
CoreWaapService.spec.coraza.crs
OWASP Core Rule Set (CRS) settings (version 4.18.0)
| Name | Type | Description | Required |
|---|---|---|---|
| customRequestBlockingRules | []object |
Custom request blocking rules |
false |
| defaultEnabled | boolean |
If true enabled on all routes unless disabled there, if false disabled on all routes unless enabled there (note that if disabled here (or on a route) but Coraza is enabled globally or on a route, the Coraza filter will still be inserted, but it will not perform any of the validations defined here at 'spec.coraza.crs'; this is so because GraphQL might be active, which also requires the Coraza filter) Default: true |
false |
| enabledRequestRules | []enum |
Set of request rule classes (default is to include all rules, rules REQUEST_901_INITIALIZATION and REQUEST_949_BLOCKING_EVALUATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.18.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: REQUEST_913_SCANNER_DETECTION, REQUEST_920_PROTOCOL_ENFORCEMENT, REQUEST_921_PROTOCOL_ATTACK, REQUEST_922_MULTIPART_ATTACK, REQUEST_930_APPLICATION_ATTACK_LFI, REQUEST_931_APPLICATION_ATTACK_RFI, REQUEST_932_APPLICATION_ATTACK_RCE, REQUEST_933_APPLICATION_ATTACK_PHP, REQUEST_934_APPLICATION_ATTACK_GENERIC, REQUEST_941_APPLICATION_ATTACK_XSS, REQUEST_942_APPLICATION_ATTACK_SQLI, REQUEST_943_APPLICATION_ATTACK_SESSION_FIXATION, REQUEST_944_APPLICATION_ATTACK_JAVA |
false |
| enabledResponseRules | []enum |
Set of response rule classes (default is to include no rules, rules RESPONSE_959_BLOCKING_EVALUATION and RESPONSE_980_CORRELATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.18.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') Enum: RESPONSE_950_DATA_LEAKAGES, RESPONSE_951_DATA_LEAKAGES_SQL, RESPONSE_952_DATA_LEAKAGES_JAVA, RESPONSE_953_DATA_LEAKAGES_PHP, RESPONSE_954_DATA_LEAKAGES_IIS, RESPONSE_955_WEB_SHELLS, RESPONSE_956_DATA_LEAKAGES_RUBY |
false |
| mode | enum |
Mode (DETECT = traffic identified as suspicious is logged but not blocked; BLOCK = traffic identified as suspicious is blocked) Enum: BLOCK, DETECT Default: BLOCK |
false |
| paranoiaLevel | integer |
Paranoia level (the higher the level the better the protection but also more likely false positives, see OWASP CRS for details) Default: 1 Minimum: 1 Maximum: 4 |
false |
| requestRuleExceptions | []object |
Conditionally disable request rules to avoid false positive alerts/blocks |
false |
| responseRuleExceptions | []object |
Conditionally disable response rules to avoid false positive alerts/blocks |
false |
| securityLevel | integer |
Defines under which conditions suspicious requests are blocked; only has an effect if the mode is set to BLOCK (security level 5 blocks already if 1 (or more) critical anomalies, 4 if 2, 3 if 3, 2 if 5, 1 if 10) Default: 5 Minimum: 1 Maximum: 5 |
false |
CoreWaapService.spec.coraza.crs.customRequestBlockingRules[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Rule name |
true |
| secLangExpression | string |
SecLang expression. Rule id range must be [300000,399999] |
true |
CoreWaapService.spec.coraza.crs.requestRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent'; only has an effect if request rule exception) |
false |
| requestPartType | enum |
Request part type (only has an effect if request rule exception) Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
| ruleId | integer |
(deprecated, use ruleIds instead) Rule ID |
false |
| ruleIds | []integer |
A list of Rule IDs (required if ruleId is not specified and must then contain at least one rule ID) |
false |
CoreWaapService.spec.coraza.crs.requestRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.coraza.crs.responseRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent'; only has an effect if request rule exception) |
false |
| requestPartType | enum |
Request part type (only has an effect if request rule exception) Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
| ruleId | integer |
(deprecated, use ruleIds instead) Rule ID |
false |
| ruleIds | []integer |
A list of Rule IDs (required if ruleId is not specified and must then contain at least one rule ID) |
false |
CoreWaapService.spec.coraza.crs.responseRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.coraza.graphql
GraphQL settings
| Name | Type | Description | Required |
|---|---|---|---|
| configs | []object |
Config settings for referencing by name on individual routes |
false |
CoreWaapService.spec.coraza.graphql.configs[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name to reference in routes |
true |
| schemaSource | object |
Source for the GraphQL schema to apply (via config map) |
true |
| allowIntrospection | boolean |
Whether to allow introspection calls (these could help an attacker, while some use cases need access) Default: false |
false |
| queryThresholds | object |
Thresholds for queries (e.g. nesting depth) |
false |
CoreWaapService.spec.coraza.graphql.configs[index].schemaSource
Source for the GraphQL schema to apply (via config map)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the file |
true |
| key | string |
Key in the config map that contains the file, and also the name of the file |
true |
CoreWaapService.spec.coraza.graphql.configs[index].queryThresholds
Thresholds for queries (e.g. nesting depth)
| Name | Type | Description | Required |
|---|---|---|---|
| batchSize | integer |
Maximum batch size to allow Default: 5 Minimum: 1 |
false |
| complexity | integer |
Maximum complexity to allow Default: 20 Minimum: 1 |
false |
| depth | integer |
Maximum nesting depth to allow Default: 5 Minimum: 1 |
false |
CoreWaapService.spec.corsPolicy
Global CORS protection (default off); any legal OPTIONS requests will be responded to directly by Core WAAP and will not be passed on to backends; other requests will not be responded to directly, but if they are accepted CORS requests that match configured allowed origins, Core WAAP will add the related headers to the response
| Name | Type | Description | Required |
|---|---|---|---|
| allowedOrigins | []string |
Allowed origins, specified as '{hostname}[:{port}]' (no scheme!); must correspond to the request target. |
true |
| allowCredentials | boolean |
Specifies whether the resource allows credentials. Default: false |
false |
| allowHeaders | string |
Specifies the content for the "access-control-allow-headers" header. |
false |
| allowMethods | string |
Specifies the content for the "access-control-allow-methods" header. |
false |
| allowPrivateNetworkAccess | boolean |
Specify whether allow requests whose target server's IP address is more private than that from which the request initiator was fetched. Default: false |
false |
| enabled | boolean |
Whether the filter should be enforced or not. Default: false |
false |
| exposeHeaders | string |
Specifies the content for the "access-control-expose-headers" header. |
false |
| forwardNotMatchingPreflights | boolean |
Specifies if preflight requests not matching the configured allowed origin should be forwarded to the upstream. Default: true |
false |
| maxAge | string |
Specifies the content for the "access-control-max-age" header. |
false |
CoreWaapService.spec.csrfPolicy
Global CSRF protection (default on); detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target; if the origin does not match the target and is not allowed specifically, the request will be blocked
| Name | Type | Description | Required |
|---|---|---|---|
| additionalOrigins | []string |
Additional allowed origin values, specified as '{hostname}[:{port}]' (no scheme!); must correspond to the request target. |
false |
| enabled | boolean |
Whether CSRF protection is enabled or not Default: true |
false |
CoreWaapService.spec.headerFilter
Header filter settings; active by default with default sets of allowed request and response headers
| Name | Type | Description | Required |
|---|---|---|---|
| defaultFilterRef | string |
Optional reference to a default header filter applied to all routes; if not set, the implicit default applied to all routes is to filter request headers with the set of headers from the allowClass STANDARD and to filter response headers with the default set of allowed headers; the default filter can be selectively overridden per route; please consult the documentation for details on filter operation and merge behavior |
false |
| filters | []object |
List of reusable header filter definitions; these filters can be referenced either as the global default filter or on individual routes; when a filter is referenced on a route, its settings are merged with the implicit or explicit default; please consult the documentation for details on filter operation and merge behavior |
false |
CoreWaapService.spec.headerFilter.filters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name that can be used to reference this filter configuration, either as the global default filter or for a per-route filter |
true |
| logOnly | boolean |
Whether to only log the headers that would be blocked; defaults to false if not set at the default or per-route level |
false |
| request | object |
Request header filtering |
false |
| response | object |
Response header filtering |
false |
CoreWaapService.spec.headerFilter.filters[index].request
Request header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
Header names to additionally allow; see the documentation for merge behavior and interplay with other settings here |
false |
| allowClass | enum |
A common preset of allowed headers (MINIMAL, STANDARD, or RESTRICTED); defaults to STANDARD if not set at the default or per-route level; see the documentation for merge behavior and interplay with other settings here, as well as for which headers are in each common preset Enum: MINIMAL, RESTRICTED, STANDARD |
false |
| deny | []string |
Header names to additionally deny; see the documentation for merge behavior and interplay with other settings here |
false |
| denyPatterns | []object |
Headers to deny if their value matches the configured regex pattern; each header name may only appear once (including '*'); defaults to an empty list if not set at the default or per-route level; see the documentation for merge behavior and interplay with other settings here |
false |
| enabled | boolean |
Whether request header filtering is enabled; defaults to true if not set at the default or per-route level |
false |
CoreWaapService.spec.headerFilter.filters[index].request.denyPatterns[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Header name or '*' to match all headers (must be case-insensitively unique in list) |
true |
| pattern | string |
Regex pattern to match header value |
true |
CoreWaapService.spec.headerFilter.filters[index].response
Response header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
Header names to additionally allow; see the documentation for merge behavior and interplay with other settings here |
false |
| deny | []string |
Header names to additionally deny; see the documentation for merge behavior and interplay with other settings here |
false |
| denyPatterns | []object |
Headers to deny if their value matches the configured regex pattern; each header name may only appear once (including '*'); defaults to an empty list if not set at the default or per-route level; see the documentation for merge behavior and interplay with other settings here |
false |
| enabled | boolean |
Whether response header filtering is enabled; defaults to true if not set at the default or per-route level |
false |
CoreWaapService.spec.headerFilter.filters[index].response.denyPatterns[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Header name or '*' to match all headers (must be case-insensitively unique in list) |
true |
| pattern | string |
Regex pattern to match header value |
true |
CoreWaapService.spec.icap[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name to reference in routes under icapRefs |
true |
| url | string |
ICAP URL including protocol and port (e.g. 'icap://some.host:1344/some/path', use 'icaps://' for TLS) |
true |
| debug | boolean |
Enables ICAP client internal debug logs Default: false |
false |
| icapHeaders | []string |
Additional ICAP headers; each entry parsed as "Key: Value" (value optional) |
false |
| timeoutSecs | integer |
ICAP client socket timeout in seconds (applies to OPTIONS and REQMOD) Default: 10 |
false |
CoreWaapService.spec.lua
Lua filters settings (filter scripts plus helper scripts/files)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the Lua filter scripts and helper files (must be defined if any Lua filters or helper files are defined) |
false |
| filters | []object |
Lua filter scripts; will be run in the order listed here if referenced in routes |
false |
| helpers | []object |
Helper files that will be mounted in parallel to the Lua filter scripts; usually Lua utility scripts, but can be any file type |
false |
CoreWaapService.spec.lua.filters[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Script name used both to reference in routes and as mounted filename and also the key in the 'spec.lua.configMap', must end with '.lua' |
true |
CoreWaapService.spec.lua.helpers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name of file to mount in parallel to Lua filter scripts and also the key in the 'spec.lua.configMap' |
true |
CoreWaapService.spec.openapi[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Name to reference in routes under openapiRefs |
true |
| schemaSource | object |
Source of the schema that will be used for validation |
true |
| scope | object |
Validation scope settings |
false |
CoreWaapService.spec.openapi[index].schemaSource
Source of the schema that will be used for validation
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the file |
true |
| key | string |
Key in the config map that contains the file, and also the name of the file |
true |
CoreWaapService.spec.openapi[index].scope
Validation scope settings
| Name | Type | Description | Required |
|---|---|---|---|
| mode | enum |
Whether to block when validation fails (BLOCK) or to only log (DETECT) Enum: BLOCK, DETECT Default: BLOCK |
false |
| requestBody | boolean |
Indicates that request body will be validated Default: true |
false |
| responseBody | boolean |
Indicates that response body will be validated Default: false |
false |
CoreWaapService.spec.operation
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image/version fields must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity]
| Name | Type | Description | Required |
|---|---|---|---|
| adminInterfaceService | object |
Settings for exposing the Envoy admin interface as a Kubernetes service |
false |
| affinity | object |
Kubernetes affinity for the Core Waap pod |
false |
| auth | object |
Settings related to OAuth2/OpenID Connect |
false |
| bufferLimitBytes | integer |
Maximum body size for processing requests and responses (Envoy's perConnectionBufferLimitBytes on listener; also make sure that Coraza body limits are set accordingly) Default: 1048576 Minimum: 1 Maximum: 4.294967295e+09 |
false |
| caCertificates | object |
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container) |
false |
| debug | boolean |
Use the debug container image;intended for development and troubleshooting only; |
false |
| image | string |
Core WAAP container image (host+path+name) without version, e.g. 'uspregistry.azurecr.io/usp/core/waap/usp-core-waap' (must be defined either in spec or operator defaults) (DEPRECATED: for backwards compatibility, it is currently still allowed to append a version with ':' and omit a separate version field, but this is deprecated and existing config should be migrated) |
false |
| labels | map[string]string |
Map of key/value labels for the pod |
false |
| metrics | object |
Settings for exposing Metrics endpoint as a Kubernetes service |
false |
| port | integer |
Port of the Kubernetes service and Envoy listener in the Core WAAP container Default: 8080 Minimum: 1 Maximum: 65535 |
false |
| priorityClassName | string |
Kubernetes priorityClassName for the Core Waap pod |
false |
| replicas | integer |
Number of replicas (default is not managed by operator) Minimum: 1 |
false |
| resources | object |
Kubernetes resources for the Core Waap pod |
false |
| securityContext | object |
Kubernetes securityContext for the Core Waap container |
false |
| serviceAccount | object |
Service account |
false |
| serviceAnnotations | map[string]string |
Map of key/value annotations for the service |
false |
| startup | object |
Settings for Envoy startup (mostly command line options, see https://www.envoyproxy.io/docs/envoy/latest/operations/cli) |
false |
| tolerations | []object |
Kubernetes tolerations for the Core Waap pod |
false |
| version | string |
Core WAAP container (image) version, e.g. '1.1.5' (must be defined either in spec or operator defaults) |
false |
| xffNumTrustedHops | integer |
The number of proxy hops in front of the Core WAAP to trust, i.e. the number of proxies from the right side of the X-Forwarded-For HTTP header to trust when determining the origin client’s IP address Default: 0 Minimum: 0 |
false |
CoreWaapService.spec.operation.adminInterfaceService
Settings for exposing the Envoy admin interface as a Kubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether the Envoy admin interface should be exposed as Kubernetes service Default: false |
false |
| port | integer |
Port of the Kubernetes service (if enabled) and Envoy admin interface listener in the Core WAAP container Default: 9901 Minimum: 1 Maximum: 65535 |
false |
CoreWaapService.spec.operation.affinity
Kubernetes affinity for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| nodeAffinity | object |
|
false |
| podAffinity | object |
|
false |
| podAntiAffinity | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| preference | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution
| Name | Type | Description | Required |
|---|---|---|---|
| nodeSelectorTerms | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index]
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.auth
Settings related to OAuth2/OpenID Connect
| Name | Type | Description | Required |
|---|---|---|---|
| tokenEncryption | boolean |
Whether to encrypt OAuth2/OpenID Connect tokens in session cookies or not (normally only turned off temporarily for integration or analysis of issues; logs a warning if set to false to help prevent accidental deactivation) Default: true |
false |
CoreWaapService.spec.operation.caCertificates
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the CA certificates |
true |
| key | string |
Key (as in 'YAML key/value pair') in the config map that contains the CA certificates |
true |
CoreWaapService.spec.operation.metrics
Settings for exposing Metrics endpoint as a Kubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether to expose metrics or not Default: false |
false |
| port | integer |
Port of the metrics Kubernetes service Default: 9801 Minimum: 1 Maximum: 65535 |
false |
CoreWaapService.spec.operation.resources
Kubernetes resources for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
| request | string |
|
false |
CoreWaapService.spec.operation.securityContext
Kubernetes securityContext for the Core Waap container
| Name | Type | Description | Required |
|---|---|---|---|
| allowPrivilegeEscalation | boolean |
|
false |
| appArmorProfile | object |
|
false |
| capabilities | object |
|
false |
| privileged | boolean |
|
false |
| procMount | string |
|
false |
| readOnlyRootFilesystem | boolean |
|
false |
| runAsGroup | integer |
|
false |
| runAsNonRoot | boolean |
|
false |
| runAsUser | integer |
|
false |
| seLinuxOptions | object |
|
false |
| seccompProfile | object |
|
false |
| windowsOptions | object |
|
false |
CoreWaapService.spec.operation.securityContext.appArmorProfile
| Name | Type | Description | Required |
|---|---|---|---|
| localhostProfile | string |
|
false |
| type | string |
|
false |
CoreWaapService.spec.operation.securityContext.capabilities
| Name | Type | Description | Required |
|---|---|---|---|
| add | []string |
|
false |
| drop | []string |
|
false |
CoreWaapService.spec.operation.securityContext.seLinuxOptions
| Name | Type | Description | Required |
|---|---|---|---|
| level | string |
|
false |
| role | string |
|
false |
| type | string |
|
false |
| user | string |
|
false |
CoreWaapService.spec.operation.securityContext.seccompProfile
| Name | Type | Description | Required |
|---|---|---|---|
| localhostProfile | string |
|
false |
| type | string |
|
false |
CoreWaapService.spec.operation.securityContext.windowsOptions
| Name | Type | Description | Required |
|---|---|---|---|
| gmsaCredentialSpec | string |
|
false |
| gmsaCredentialSpecName | string |
|
false |
| hostProcess | boolean |
|
false |
| runAsUserName | string |
|
false |
CoreWaapService.spec.operation.serviceAccount
Service account
| Name | Type | Description | Required |
|---|---|---|---|
| automountToken | boolean |
Whether to automount the token for the service account Default: true |
false |
| name | string |
Service account name Default: default |
false |
CoreWaapService.spec.operation.startup
Settings for Envoy startup (mostly command line options, see https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
| Name | Type | Description | Required |
|---|---|---|---|
| additionalCliArgs | []string |
Additional command line arguments for Envoy |
false |
| componentLogLevel | string |
Envoy log level per component in the form '{comp1}:{level1},{comp2}:{level2}', e.g. 'http:debug,connection:trace', if not set defaults implicitly to empty, command line option '--component-log-level' |
false |
| concurrency | integer |
The number of worker threads to run, if not set defaults implicitly to the number of hardware threads on the machine, command line option '--concurrency' Minimum: 1 |
false |
| logLevel | enum |
Envoy global log level; if not set defaults implicitly to level info, command line option '--log-level' Enum: critical, debug, error, info, off, trace, warn, warning |
false |
CoreWaapService.spec.operation.tolerations[index]
| Name | Type | Description | Required |
|---|---|---|---|
| effect | string |
|
false |
| key | string |
|
false |
| operator | string |
|
false |
| tolerationSeconds | integer |
|
false |
| value | string |
|
false |
CoreWaapService.spec.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.rateLimiting
Rate limiting settings
| Name | Type | Description | Required |
|---|---|---|---|
| repeatOffender | object |
Repeat offender protection settings, i.e. protection against clients that cause lots of errors in a short time |
false |
CoreWaapService.spec.rateLimiting.repeatOffender
Repeat offender protection settings, i.e. protection against clients that cause lots of errors in a short time
| Name | Type | Description | Required |
|---|---|---|---|
| clientIdentification | object |
How to identify clients that repeatedly produce specific HTTP status codes |
false |
| enabled | boolean |
Whether repeat offender protection is enabled or not Default: true |
false |
| excludedClientIPs | []string |
Set of IPv4 IPs to exclude from protection |
false |
| violation | object |
Settings that define how violations are identified and how to temporarily block repeat offenders in order to limit their average/overall rates |
false |
CoreWaapService.spec.rateLimiting.repeatOffender.clientIdentification
How to identify clients that repeatedly produce specific HTTP status codes
| Name | Type | Description | Required |
|---|---|---|---|
| headerName | string |
The header used to identify clients Default: X-Forwarded-For |
false |
| statusCodeIfMissing | integer |
Status code to return if the identifying header is missing in a request Default: 403 Minimum: 100 Maximum: 599 |
false |
CoreWaapService.spec.rateLimiting.repeatOffender.violation
Settings that define how violations are identified and how to temporarily block repeat offenders in order to limit their average/overall rates
| Name | Type | Description | Required |
|---|---|---|---|
| durationSecs | integer |
This setting is used both for the time interval during which violations are counted and for the duration the client will be temporarily blocked if there have been too many violations; counting starts at the first violation and if there are more violations than 'threshold' during 'durationSecs', the client is immediately blocked for 'durationSecs' Default: 60 Minimum: 1 |
false |
| httpCodes | []string |
HTTP status codes that cause the violation counter to be increased; besides numbers like '503' also whole ranges like '4xx' for 400-499 can be used Default: [4xx 5xx] |
false |
| statusCode | integer |
HTTP status code to return when the client has been temporarily blocked due to too many violations Default: 429 Minimum: 100 Maximum: 599 |
false |
| threshold | integer |
Number of violations after which to temporarily block the client Default: 10 Minimum: 1 Maximum: 65535 |
false |
CoreWaapService.spec.webResources
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the web resources |
true |
| path | string |
Path where static pages will be served (must begin and end with /) |
true |
| errorPages | []object |
List of error pages to serve (allows dynamic content, e.g. %PROTOCOL%) |
false |
| staticFiles | []object |
List of static file resources to serve (no dynamic content) |
false |
CoreWaapService.spec.webResources.errorPages[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
| statusCode | string |
Status code to apply to (also allows to e.g. use '4xx' for all client errors 400-499) |
true |
| mappedStatusCode | integer |
Status code to send to client (defaults to upstream status code) |
false |
CoreWaapService.spec.webResources.staticFiles[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
CoreWaapService.status
| Name | Type | Description | Required |
|---|---|---|---|
| status | string |
|
false |
| warnings | []string |
|
false |