AccessControlPolicy
microgateway.airlock.com/v1alpha1
AccessControlPolicy is a Direct Attached Policy for the Kubernetes Gateway API. It specifies the options to perform access control with a Microgateway.
apiVersion: microgateway.airlock.com/v1alpha1
kind: AccessControlPolicy
metadata:
name: secured
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: backend
policies:
- requestConditions:
invert: true
remoteIP:
cidrRanges:
- 192.168.0.0/16
authorization:
deny: {}
- requestConditions:
path:
matcher:
regex: ^/test/
authorization:
requireAny:
- oidc:
claim:
name: roles
value:
matcher:
exact: admin
- oidc:
claim:
name: group
value:
matcher:
exact: superusers
authentication:
oidc:
oidcRelyingPartyRef:
name: test-1
identityPropagation:
actions:
- identityPropagationRef:
name: test-header-metadata
- identityPropagationRef:
name: test-header-oidc-accesstoken
onFailure: Pass
- requestConditions:
path:
matcher:
exact: /public
authorization: {}
- requestConditions:
path:
matcher:
regex:
^/api/
authorization:
requireAll:
- oidc:
claim:
name: name
- oidc:
claim:
name: email
value:
matcher:
suffix: "@company.com"
authentication:
oidc:
oidcRelyingPartyRef:
name: test-defaults
identityPropagation:
actions:
- identityPropagationRef:
name: test-header-oidc-idtoken
- identityPropagationRef:
name: test-bearertoken-oidc-accesstoken
onFailure: Pass
- requestConditions:
path:
matcher:
regex:
^/admin/
authorization:
requireAll:
- oidc:
claim:
name: name
value:
matcher:
exact: admin
- oidc:
claim:
name: email
value:
matcher:
suffix: "@company.com"
authentication:
oidc:
oidcRelyingPartyRef:
name: test-2
# configure token introspection with a probability of `0.1%` for the
# 'random' strategy i.e. for every request there is a
# 1 in 1000 chance that the request is being introspected
introspection:
strategy:
random:
probability: "0.1%"
identityPropagation:
actions:
- identityPropagationRef:
name: test-bearertoken-metadata
- identityPropagationRef:
name: test-bearertoken-oidc-idtoken
onFailure: Pass
- authorization:
deny: {}apiVersion: microgateway.airlock.com/v1alpha1
kind: AccessControlPolicy
metadata:
name: defaultAccessControlPolicy
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Spec defines the desired state of AccessControlPolicy. | yes | ||
status |
PolicyStatus | Status defines the state of the AccessControlPolicy. | no |
AccessControlPolicy.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| policies | object[] | Policies configures access control policies. The first matching policy (from top to bottom) applies. | yes | ||
targetRefs |
PolicyTargetReference[] | TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy. Support: HTTPRoute. |
yes |
AccessControlPolicy.spec.policies[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| authorization | object | Authorization configures how requests are authorized. An empty object value {} disables authorization. | yes | ||
| identityPropagation | object | IdentityPropagation configures how the authenticated user’s identity is communicated to the protected application. | no | ||
| requestConditions | object | RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match. WARNING: There is currently a limitation that if authentication.oidc is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (pathMapping.logoutPath / pathMapping.redirectPath). |
no |
AccessControlPolicy.spec.policies[].authorization
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| authentication | object | Authentication specifies that clients need to be authenticated with the provided method. | no | oidc{} |
|
| deny | object | Deny specifies to deny access for all requests matching this policy. | no | ||
| requireAll | object[] | RequireAll specifies conditions which must all be satisfied for the request to be authorized. | no | ||
| requireAny | object[] | RequireAny specifies conditions of which at least one must be satisfied for the request to be authorized. | no |
AccessControlPolicy.spec.policies[].authorization.authentication
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| oidc | object | OIDC configures client authentication using OpenID Connect. | no |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| introspection | object | Introspection configures how token introspection is performed. An empty object value {} defaults to the always strategy. | no | ||
| oidcRelyingPartyRef | object | OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. | yes |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| strategy | object | Strategy defines the behavior for token introspection. | no | always{...} |
always{}, random{} |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection.strategy
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| always | object | Always strategy defines a strategy for checking every request. | no | ||
| random | object | Random strategy defines a probabilistic strategy for checking the x-th request. |
no |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.introspection.strategy.random
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
probability |
string | Probability specifies the probability in % with which a request is selected to be introspected. A valid value for probability must be from the range: [ 0.01%,99.99%]. To introspect the token on every request the always strategy must be used. |
yes |
AccessControlPolicy.spec.policies[].authorization.authentication.oidc.oidcRelyingPartyRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| oidc | object | OIDC specifies a condition on the result of an OpenID Connect flow. | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | object | Claim specifies a condition on a JWT claim. | yes |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc.claim
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the claim. | yes | ||
| value | object | Value of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
no |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc.claim.value
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAll[].oidc.claim.value.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
AccessControlPolicy.spec.policies[].authorization.requireAny[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| oidc | object | OIDC specifies a condition on the result of an OpenID Connect flow. | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| claim | object | Claim specifies a condition on a JWT claim. | yes |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc.claim
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the claim. | yes | ||
| value | object | Value of the claim. If not specified, only existence of the claim is checked (any value is allowed). Value matching is only supported if the data type of the claim is either primitive ( number, boolean, string) or array of primitives. In case of a non-string value, the match will be performed against the stringified value. If the claim has an unsupported data type (e.g. object or null), its value will never match. |
no |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc.claim.value
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].authorization.requireAny[].oidc.claim.value.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
AccessControlPolicy.spec.policies[].identityPropagation
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| actions | object[] | Actions specifies the propagation actions. | yes | ||
onFailure |
enum | OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: Pass: The request should be forwarded to the upstream, without including the information from the failed identity propagations. |
yes | Pass |
AccessControlPolicy.spec.policies[].identityPropagation.actions[]
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| identityPropagationRef | object | IdentityPropagationRef selects an IdentityPropagation to apply. | yes |
AccessControlPolicy.spec.policies[].identityPropagation.actions[].identityPropagationRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
AccessControlPolicy.spec.policies[].requestConditions
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| header | object | Header defines the matching headers of a request. | no | ||
invert |
bool | Invert indicates whether the request condition should be inverted. | no | false |
true, false |
| mediaType | object | MediaType defines the matching media type from the content-type header of a request. | no | ||
method |
enum[] | Method defines the matching methods of a request. | no | CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE |
|
| path | object | Path defines the matching path of a request. | no | ||
| remoteIP | object | RemoteIP defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection. |
no |
AccessControlPolicy.spec.policies[].requestConditions.header
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | object | Name defines the name of a header. | no | ||
| value | object | Value defines the value of a header. | no |
AccessControlPolicy.spec.policies[].requestConditions.header.name
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.header.name.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
AccessControlPolicy.spec.policies[].requestConditions.header.value
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.header.value.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
AccessControlPolicy.spec.policies[].requestConditions.mediaType
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.mediaType.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
AccessControlPolicy.spec.policies[].requestConditions.path
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
AccessControlPolicy.spec.policies[].requestConditions.path.matcher
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
contains |
string | Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
exact |
string | Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
ignoreCase |
bool | IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
no | false |
true, false |
prefix |
string | Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
regex |
string | Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
no | ||
suffix |
string | Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
no |
AccessControlPolicy.spec.policies[].requestConditions.remoteIP
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
cidrRanges |
string[] | CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. |
yes | ||
invert |
bool | Invert indicates whether the match should be inverted. | no | false |
true, false |