CR ContentSecurity

The Custom Resource ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container. It does so by referencing various other CRs which cover different aspects of web application security.
If references are not explicitly configured, default settings designed to work with most upstream services will be applied.

• List of referenceable CRs:
• CR DenyRules – Configures request filtering using deny rules.
• CR HeaderRewrites – Configures request and response header manipulations.
• CR Parser – Configures content parsers.
• CR Limits – Configures various size checks on requests.

The Microgateway Operator watches and reads the Custom Resources of type ContentSecurity and configures the Microgateway Engine accordingly.

General tips for working with CRs

• CLI:
• Use kubectl explain <replace with CRD name> --recursive to list all available options and the YAML structure.
• Check the CRD description texts with kubectl explain <replace with CRD name and path> of the available options for more details.

• API Reference documentation:
• Click on the link to open the CR-related documentation in a new browser tab or window: CRD Reference documentation. See also the API Reference documentation links at the end article.

The following example shows a simple Custom Resource ContentSecurity that contains the denyRulesRef to the CR DenyRules to secure a web application in Microgateway Engine:

copy

apiVersion: microgateway.airlock.com/v1alpha1 
kind: ContentSecurity 
metadata: 
  name: content-security-sample 
spec: 
  filter: 
    denyRulesRef: 
      name: deny-rules-sample

Additional references from the CR ContentSecurity to other CRs may be required. See the list of referenceable CRs above.

The Envoy proxy is the basis for the Microgateway Engine. It has been enriched with Airlock-specific features which can be configured with the corresponding CRs. If a feature available as a native Envoy filter is missing in these CRs, the CR EnvoyHTTPFilter can be used to prepend such a native Envoy filter. The CR EnvoyCluster allows configuring additional clusters if a native Envoy filter relies on it. For the CRs EnvoyHTTPFilter and EnvoyCluster, the Envoy configuration language must be used.

See CR EnvoyHTTPFilter and CR EnvoyCluster.

See also the API Reference documentation link at the end of this article.

The CR SidecarGateway resource refers to CR ContentSecurity.

...

spec: 
  applications: 
  - containerPort: 5051
    contentSecurityRef: 
      name: content-security-example

...    

Without a Custom Resource SidecarGateway referring to a Pod, the Microgateway Engine does not forward any traffic to the upstream application. This results in Connection Refused errors on access.

The status of referenced CRs (including nested CRs) is available via CR SidecarGateway status - missing references are reported with further information in the form of a message and a reason. This helps to find problems and solve them quickly.

See also the API Reference documentation link at the end of this article.

• API Reference:
• CR Content Security reference documentation

• Internal links:
• Annotations for sidecar injection Annotations for Microgateway Engine injection