ICAPPolicy

microgateway.airlock.com/v1alpha1

ICAPPolicy is a Direct Attached Policy for the Kubernetes Gateway API.
It defines a rule-based policy for enforcing request filtering via ICAP.

apiVersion: microgateway.airlock.com/v1alpha1
kind: ICAPPolicy
metadata:
  name: icap-policy-example
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: backend
  policies:
    - requestConditions:
        path:
          matcher:
            exact: /upload/file
      request:
        actions:
          - icapProviderRef:
              name: av-scan
            onError: Block

ICAPPolicy

Field Description Type Required Default Allowed Values
metadata defines the resource’s metadata ObjectMeta yes
spec defines the desired ICAP. object yes
status describes the current status of the ICAP policy. PolicyStatus no

ICAPPolicy.spec

Field Description Type Required Default Allowed Values
policies configures ICAP policies. The first matching policy (from top to bottom) applies. object[] yes
targetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy.
Support: HTTPRoute.		 LocalPolicyTargetReference[] yes

ICAPPolicy.spec.policies[]

Field Description Type Required Default Allowed Values
request configures ICAP processing for requests. object no
requestConditions defines additional request properties which must all be matched in order for this policy to apply. A policy without request conditions will always match. object no

ICAPPolicy.spec.policies[].request

Field Description Type Required Default Allowed Values
actions specifies the chain of ICAP actions to execute.
Note: Currently, only a single action is supported per policy.		 object[] yes

ICAPPolicy.spec.policies[].request.actions[]

Field Description Type Required Default Allowed Values
icapProviderRef selects the ICAP provider to use for this action. object yes
onError specifies the behavior for a request if an unexpected error occurs while connecting to the ICAP server or during ICAP processing.
Note: Certain errors during ICAP processing are not recoverable, in such cases the request will always be blocked regardless of this setting.

Possible values:
Block: The current request is blocked.
Pass: Request processing continuous as if the ICAP action had succeeded.		 enum no Block Block, Pass

ICAPPolicy.spec.policies[].request.actions[].icapProviderRef

Field Description Type Required Default Allowed Values
name of the resource string yes

ICAPPolicy.spec.policies[].requestConditions

Field Description Type Required Default Allowed Values
header defines the matching headers of a request. object no
invert indicates whether the request condition should be inverted. bool no false true, false
mediaType defines the matching media type from the content-type header of a request. object no
method defines the matching methods of a request. enum[] no CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE
path defines the matching path of a request. object no
remoteIP defines the matching remote IPs of a request.
Note: Depending on your setup you may need to adapt the remoteIP configuration in the GatewayParameters resource to ensure correct client IP detection.		 object no

ICAPPolicy.spec.policies[].requestConditions.header

Field Description Type Required Default Allowed Values
name defines the name of a header. object no
value defines the value of a header. object no

ICAPPolicy.spec.policies[].requestConditions.header.name

Field Description Type Required Default Allowed Values
matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

ICAPPolicy.spec.policies[].requestConditions.header.name.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

ICAPPolicy.spec.policies[].requestConditions.header.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

ICAPPolicy.spec.policies[].requestConditions.header.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

ICAPPolicy.spec.policies[].requestConditions.mediaType

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

ICAPPolicy.spec.policies[].requestConditions.mediaType.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

ICAPPolicy.spec.policies[].requestConditions.path

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

ICAPPolicy.spec.policies[].requestConditions.path.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

ICAPPolicy.spec.policies[].requestConditions.remoteIP

Field Description Type Required Default Allowed Values
cidrRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. string[] yes
invert indicates whether the match should be inverted. bool no false true, false