ContentSecurityPolicy
microgateway.airlock.com/v1alpha1
ContentSecurityPolicy is a Direct Attached Policy for the Kubernetes Gateway API. It specifies the options to secure an upstream web application with a Microgateway.
apiVersion: microgateway.airlock.com/v1alpha1
kind: ContentSecurityPolicy
metadata:
name: content-security-policy-example
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: backend
secured:
parserRef:
name: parser-example
limitsRef:
name: limits-example
headerRewritesRef:
name: header-rewrites-example
filter:
denyRulesRef:
name: deny-rules-example
apiProtectionRef:
name: api-protection-example
csrfProtectionRef:
name: csrf-protection-exampleapiVersion: microgateway.airlock.com/v1alpha1
kind: ContentSecurityPolicy
metadata:
name: defaultContentSecurityPolicy
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
metadata |
ObjectMeta | Refer to Kubernetes API documentation for fields of metadata |
yes | ||
| spec | object | Spec defines the desired state of ContentSecurityPolicy. | yes | secured{...} |
secured{}, unsecured{} |
status |
PolicyStatus | Status defines the state of the ContentSecurityPolicy. | no |
ContentSecurityPolicy.spec
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| secured | object | Secured enables WAF processing for the routes attached to this policy. | no | ||
targetRefs |
PolicyTargetReference[] | TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy. Support: HTTPRoute. |
yes | ||
| unsecured | object | Unsecured disables all WAF functionality and therefore protection for the routes attached to this policy. WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. |
no |
ContentSecurityPolicy.spec.secured
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| apiProtectionRef | object | APIProtectionRef defines the relevant configurations to protect multiple APIs on different paths. If undefined, default settings are applied, designed to work with most upstream web application services. |
no | ||
| csrfProtectionRef | object | CSRFProtectionRef selects the relevant CSRF configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
no | ||
| filter | object | Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests to protect against various attack patterns. If undefined, default settings are applied, designed to work with most upstream web application services. |
no | ||
| headerRewritesRef | object | HeaderRewritesRef selects the relevant HeaderRewrites. If undefined, default settings are applied, designed to work with most upstream web application services. |
no | ||
| limitsRef | object | LimitsRef selects the relevant Limits configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
no | ||
| parserRef | object | ParserRef selects the relevant Parser configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
no |
ContentSecurityPolicy.spec.secured.apiProtectionRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
ContentSecurityPolicy.spec.secured.csrfProtectionRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
ContentSecurityPolicy.spec.secured.filter
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| denyRulesRef | object | DenyRulesRef selects the relevant DenyRules configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
no |
ContentSecurityPolicy.spec.secured.filter.denyRulesRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
ContentSecurityPolicy.spec.secured.headerRewritesRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
ContentSecurityPolicy.spec.secured.limitsRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |
ContentSecurityPolicy.spec.secured.parserRef
| Field | Type | Description | Required | Default | Allowed Values |
|---|---|---|---|---|---|
name |
string | Name of the resource | yes |