AccessControl

microgateway.airlock.com/v1alpha1

AccessControl specifies the options to perform access control with a Microgateway Engine container.

apiVersion: microgateway.airlock.com/v1alpha1
kind: AccessControl
metadata:
  name: access-control-example
spec:
  policies:
    # Requests to /secure are only allowed if they satisfy the following conditions:
    # - user/client is authenticated via OIDC
    # - authenticated user has email ending in @company.com
    # - authenticated user has role admin
    - requestConditions:
        path:
          matcher:
            exact: /secure
      authorization:
        requireAll:
          - oidc:
              claim:
                name: email
                value:
                  matcher:
                    suffix: "@company.com"
          - oidc:
              claim:
                name: roles
                value:
                  matcher:
                    # Assuming roles claim is a JSON list, e.g. ["role1", "role2"].
                    contains: '"admin"'
        authentication:
          oidc:
            oidcRelyingPartyRef:
              name: oidc-example
      identityPropagation:
        actions:
          - identityPropagationRef:
              name: identity-propagation-example
        onFailure: Pass
    # Fallback policy: All other requests are allowed (authorization disabled).
    - authorization: {}

apiVersion: microgateway.airlock.com/v1alpha1
kind: AccessControl
metadata:
  name: default

AccessControl

Field	Type	Description	Required	Default	Allowed Values
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`	yes
spec	object	Specifies how the Airlock Microgateway Engine performs access control.	yes

AccessControl.spec

Field	Type	Description	Required	Default	Allowed Values
policies	object[]	Policies configures access control policies. The first matching policy (from top to bottom) applies.	yes

AccessControl.spec.policies[]

Field	Type	Description	Required
authorization	object	Authorization configures how requests are authorized. An empty object value {} disables authorization.	yes
identityPropagation	object	IdentityPropagation configures how the authenticated user’s identity is communicated to the protected application.	no
requestConditions	object	RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match. WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`).	no

AccessControl.spec.policies[].authorization

Field	Type	Description	Required	Allowed Values
authentication	object	Authentication specifies that clients need to be authenticated with the provided method.	no	`oidc{}`
deny	object	Deny specifies to deny access for all requests matching this policy.	no
requireAll	object[]	RequireAll specifies conditions which must all be satisfied for the request to be authorized.	no
requireAny	object[]	RequireAny specifies conditions of which at least one must be satisfied for the request to be authorized.	no

AccessControl.spec.policies[].authorization.authentication

Field	Type	Description	Required	Default	Allowed Values
oidc	object	OIDC configures client authentication using OpenID Connect.	no

AccessControl.spec.policies[].authorization.authentication.oidc

Field	Type	Description	Required	Default	Allowed Values
oidcRelyingPartyRef	object	OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider.	yes

AccessControl.spec.policies[].authorization.authentication.oidc.oidcRelyingPartyRef

Field	Type	Description	Required	Default	Allowed Values
`name`	string	Name of the resource	yes

AccessControl.spec.policies[].authorization.requireAll[]

Field	Type	Description	Required	Default	Allowed Values
oidc	object	OIDC specifies a condition on the result of an OpenID Connect flow.	yes

AccessControl.spec.policies[].authorization.requireAll[].oidc

Field	Type	Description	Required	Default	Allowed Values
claim	object	Claim specifies a condition on a JWT claim.	yes

AccessControl.spec.policies[].authorization.requireAll[].oidc.claim

Field	Type	Description	Required	Default	Allowed Values
`name`	string	Name of the claim.	yes
value	object	Value of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.	no

AccessControl.spec.policies[].authorization.requireAll[].oidc.claim.value

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`exact{}`, `prefix{}`, `suffix{}`, `regex{}`, `contains{}`

AccessControl.spec.policies[].authorization.requireAll[].oidc.claim.value.matcher

Field	Type	Description	Required	Default	Allowed Values
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`ignoreCase`	bool	IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	no	`false`	`true`, `false`
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

AccessControl.spec.policies[].authorization.requireAny[]

Field	Type	Description	Required	Default	Allowed Values
oidc	object	OIDC specifies a condition on the result of an OpenID Connect flow.	yes

AccessControl.spec.policies[].authorization.requireAny[].oidc

Field	Type	Description	Required	Default	Allowed Values
claim	object	Claim specifies a condition on a JWT claim.	yes

AccessControl.spec.policies[].authorization.requireAny[].oidc.claim

Field	Type	Description	Required	Default	Allowed Values
`name`	string	Name of the claim.	yes
value	object	Value of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match.	no

AccessControl.spec.policies[].authorization.requireAny[].oidc.claim.value

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`exact{}`, `prefix{}`, `suffix{}`, `regex{}`, `contains{}`

AccessControl.spec.policies[].authorization.requireAny[].oidc.claim.value.matcher

Field	Type	Description	Required	Default	Allowed Values
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`ignoreCase`	bool	IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	no	`false`	`true`, `false`
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

AccessControl.spec.policies[].identityPropagation

Field	Type	Description	Required	Default	Allowed Values
actions	object[]	Actions specifies the propagation actions.	yes
`onFailure`	enum	OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: Pass: The request should be forwarded to the upstream, without including the information from the failed identity propagations.	yes		`Pass`

AccessControl.spec.policies[].identityPropagation.actions[]

Field	Type	Description	Required	Default	Allowed Values
identityPropagationRef	object	IdentityPropagationRef selects an IdentityPropagation to apply.	yes

AccessControl.spec.policies[].identityPropagation.actions[].identityPropagationRef

Field	Type	Description	Required	Default	Allowed Values
`name`	string	Name of the resource	yes

AccessControl.spec.policies[].requestConditions

Field	Type	Description	Required	Default	Allowed Values
header	object	Header defines the matching headers of a request.	no
`invert`	bool	Invert indicates whether the request condition should be inverted.	no	`false`	`true`, `false`
mediaType	object	MediaType defines the matching media type from the content-type header of a request.	no
`method`	enum[]	Method defines the matching methods of a request.	no		`GET`, `HEAD`, `POST`, `PUT`, `PATCH`, `DELETE`, `CONNECT`, `OPTIONS`, `TRACE`
path	object	Path defines the matching path of a request.	no
remoteIP	object	RemoteIP defines the matching remote IPs of a request.	no

AccessControl.spec.policies[].requestConditions.header

Field	Type	Description	Required	Default	Allowed Values
name	object	Name defines the name of a header.	no
value	object	Value defines the value of a header.	no

AccessControl.spec.policies[].requestConditions.header.name

Field	Type	Description	Required	Default	Allowed Values
matcher	object	Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	yes		`exact{}`, `prefix{}`, `suffix{}`, `regex{}`, `contains{}`

AccessControl.spec.policies[].requestConditions.header.name.matcher

Field	Type	Description	Required
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

AccessControl.spec.policies[].requestConditions.header.value

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`exact{}`, `prefix{}`, `suffix{}`, `regex{}`, `contains{}`

AccessControl.spec.policies[].requestConditions.header.value.matcher

Field	Type	Description	Required	Default	Allowed Values
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`ignoreCase`	bool	IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	no	`false`	`true`, `false`
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

AccessControl.spec.policies[].requestConditions.mediaType

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`exact{}`, `prefix{}`, `suffix{}`, `regex{}`, `contains{}`

AccessControl.spec.policies[].requestConditions.mediaType.matcher

Field	Type	Description	Required
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

AccessControl.spec.policies[].requestConditions.path

Field	Type	Description	Required	Default	Allowed Values
matcher	object		yes		`exact{}`, `prefix{}`, `suffix{}`, `regex{}`, `contains{}`

AccessControl.spec.policies[].requestConditions.path.matcher

Field	Type	Description	Required	Default	Allowed Values
`contains`	string	Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`exact`	string	Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	no
`ignoreCase`	bool	IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	no	`false`	`true`, `false`
`prefix`	string	Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no
`regex`	string	Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	no
`suffix`	string	Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	no

AccessControl.spec.policies[].requestConditions.remoteIP

Field	Type	Description	Required	Default	Allowed Values
`cidrRanges`	string[]	CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. `196.148.3.128/26` or `2001:db8::/28`.	yes
`invert`	bool	Invert indicates whether the match should be inverted.	no	`false`	`true`, `false`