CR Limits

Airlock Microgateway performs various size checks on requests with a default configuration to repel denial of service (DoS) attacks out of the box. The CR Limits can be used to configure these limit checks on the route level.

  • Limit checks are available for:
  • Number and size of parameters.
  • General request properties like body size or path length.
  • Various aspects of JSON Payload.
  • A global header size check (can be configured in the Limiting request headers length).

General tips for working with CRs

  • CLI:
  • Use kubectl explain <replace with CRD name> --recursive to list all available options and the YAML structure.
  • Check the CRD description texts with kubectl explain <replace with CRD name and path> of the available options for more details.
  • API Reference documentation:
  • Click on the link to open the CR-related documentation in a new browser tab or window: CRD Reference documentation. See also the API Reference documentation links at the end article.

Example configuration

The following example shows the size limit configuration options with their default values:

kind: Limits 
  name: limits-sample 
    threatHandlingMode: Block
        bodySize: 100M        
        pathLength: 1Ki        
        count: 128             
        nameLength: 128     
        valueLength: 1Ki    
        nestingDepth: 100      
        keyCount: 250         
        elementCount: 150000  
        keyLength: 128      
        valueLength: 8Ki  

JSON limits will only be applied if the JSON parser in the CR Parser is enabled.

Size limits like bodySize, nameLength , etc., can be specified in bytes or in Kubernetes memory limit units.

  • Examples of Kubernetes memory limits:
  • 1k = 1'000 bytes
  • 1Ki = 1'024 bytes
  • 1M = 1'000'000 bytes
  • 1Mi = 1,048,576 bytes

See also the API Reference documentation link at the end of this article.

Threat handling mode settings

When a request causes a block due to reaching the request size limit in Block mode, it is possible that the total request size is not fully logged. For example, it can happen that the actual parameter name length is not part of the logging information because the request size limit has already been reached before and the request is already blocked. This behavior is to mitigate the risk of being vulnerable to DoS attacks.

Detailed limit violations can be logged with settings.threatHandlingMode: LogOnly.

See also the API Reference documentation link at the end of this article.

Reference in CR ContentSecurity

The CR Limits need to be referenced in the CR ContentSecurity.

     name: limits-sample   

Replace the name: in our example with the actual name from the metadata section of the respective Limits CR.

See also the API Reference documentation link at the end of this article.