Limits

microgateway.airlock.com/v1alpha1


Limits contains the configuration for limits.

apiVersion: microgateway.airlock.com/v1alpha1
kind: Limits
metadata:
  name: limits-example
spec:
  settings:
    threatHandlingMode: Block
  request:
    limited:
      general:
        # Reduce the parsed body size to '10Ki' to increase security.
        bodySize: 10Ki
        pathLength: 1Ki
      parameter:
        count: 128
        nameLength: 128
        # Reduce the maximum length to '1Ki'.
        valueLength: 1Ki
      json:
        nestingDepth: 100
        keyCount: 250
        elementCount: 150000
        keyLength: 128
        valueLength: 8Ki
      exceptions:
        # Length exception for the JSON attribute $.logo when the path has prefix /project/
        - length:
            json:
              jsonPath: "$.logo"
          requestConditions:
            path:
              matcher:
                prefix: /project/
        # Length exception for the post parameter txtbdy
        - length:
            parameter:
              name:
                matcher:
                  exact: txtbdy
              source: Post
apiVersion: microgateway.airlock.com/v1alpha1
kind: Limits
metadata:
  name: default
spec: 
  settings: 
    threatHandlingMode: Block
  request: 
    limited: 
      general: 
        bodySize: "100Ki"
        pathLength: "1Ki"
      parameter: 
        count: 128
        nameLength: "128"
        valueLength: "8Ki"
      json: 
        nestingDepth: 100
        keyCount: 250
        elementCount: 10000
        keyLength: "128"
        valueLength: "8Ki"

Limits

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of the desired limits behavior. no

Limits.spec

Field Type Description Required Default Allowed Values
request object Request defines the limits for requests. no limited{...} unlimited{}, limited{}
settings object Settings configures the limits filter. no

Limits.spec.request

Field Type Description Required Default Allowed Values
limited object Limited enables limits on request scope. no
unlimited object Unlimited disables all limits on request scope. no

Limits.spec.request.limited

Field Type Description Required Default Allowed Values
exceptions object[] Exceptions defines limit exceptions. no
general object General defines general request limits. no
json object JSON defines the limits for JSON requests. no
parameter object Parameter defines the limits for request parameters. no

Limits.spec.request.limited.exceptions[]

Field Type Description Required Default Allowed Values
length object Length defines an exception for length limits based on the data element exceeding the limit. no parameter{}, json{}
requestConditions object RequestConditions defines additional request properties which must be matched in order for this exception to apply. no

Limits.spec.request.limited.exceptions[].length

Field Type Description Required Default Allowed Values
json object JSON defines a key and value length limit exception for a JSON property. no
parameter object Parameter defines a name and value length limit exception for a parameter. no

Limits.spec.request.limited.exceptions[].length.json

Field Type Description Required Default Allowed Values
jsonPath string JSONPath restricts the exception to JSON properties with a matching JSONPath.
Expressions in JSONPath i.e. ?(expr) are not supported.
yes

Limits.spec.request.limited.exceptions[].length.parameter

Field Type Description Required Default Allowed Values
name object Name restricts the exception to parameters with a matching name. yes
source enum Source restricts the exception to parameters of this kind. no Any Query, Post, Any

Limits.spec.request.limited.exceptions[].length.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

Limits.spec.request.limited.exceptions[].length.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

Limits.spec.request.limited.exceptions[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no GET, HEAD, POST, PUT, PATCH, DELETE, CONNECT, OPTIONS, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request. no

Limits.spec.request.limited.exceptions[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

Limits.spec.request.limited.exceptions[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes exact{}, prefix{}, suffix{}, regex{}, contains{}

Limits.spec.request.limited.exceptions[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

Limits.spec.request.limited.exceptions[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

Limits.spec.request.limited.exceptions[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

Limits.spec.request.limited.exceptions[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

Limits.spec.request.limited.exceptions[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

Limits.spec.request.limited.exceptions[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes exact{}, prefix{}, suffix{}, regex{}, contains{}

Limits.spec.request.limited.exceptions[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.
no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.
no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.
no

Limits.spec.request.limited.exceptions[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

Limits.spec.request.limited.general

Field Type Description Required Default Allowed Values
bodySize Quantity BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective only for requests that are parsed (e.g. JSON data). File uploads are not affected by this limit. no 100Ki
pathLength Quantity PathLength defines the maximum path length for requests. no 1Ki

Limits.spec.request.limited.json

Field Type Description Required Default Allowed Values
elementCount uint64 ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). no 10000 [0, 18446744073709551615]
keyCount uint64 KeyCount defines the maximum number of keys of a single JSON object (non-recursive). no 250 [0, 18446744073709551615]
keyLength Quantity KeyLength defines the maximum length for JSON keys. no 128
nestingDepth uint64 NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. no 100 [0, 18446744073709551615]
valueLength Quantity ValueLength defines the maximum length for JSON values. no 8Ki

Limits.spec.request.limited.parameter

Field Type Description Required Default Allowed Values
count uint64 Count defines the maximum number of request parameters. no 128 [0, 18446744073709551615]
nameLength Quantity NameLength defines the maximum length for parameter names. no 128
valueLength Quantity ValueLength defines the maximum length for parameter values. no 8Ki

Limits.spec.settings

Field Type Description Required Default Allowed Values
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a limit hits. no Block Block, LogOnly