LogMaskingPolicy

microgateway.airlock.com/v1alpha1

LogMaskingPolicy is a Direct Attached Policy for the Kubernetes Gateway API.
It defines rules for masking sensitive data before being written to logs.

apiVersion: microgateway.airlock.com/v1alpha1
kind: LogMaskingPolicy
metadata:
  name: log-masking-policy-example
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: backend
  request:
    fieldCategories:
      - Credentials
    parameters:
      - name:
          matcher:
            exact: birthdate
      - name:
          matcher:
            exact: gender
    headers:
      - name:
          matcher:
            regex: ^X-MY-TOKEN-[A-Z0-9]+$

LogMaskingPolicy

Field	Description	Type	Required
metadata	defines the resource’s metadata	ObjectMeta	yes
spec	defines the desired log masking configuration.	object	yes
status	describes the current status of the LogMaskingPolicy.	PolicyStatus	no

LogMaskingPolicy.spec

Field	Description	Type	Required	Default	Allowed Values
request	specifies log masking rules that are applied to HTTP request data.	object	no
targetRefs	are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy. Support: HTTPRoute.	LocalPolicyTargetReference[]	yes

LogMaskingPolicy.spec.request

Field	Description	Type	Required	Allowed Values
fieldCategories	specifies built-in groups of request fields whose values must be masked before being written to logs. If not specified, the default categories [“Credentials”, “Tokens”] are applied. `Credentials` masks parameters with the name: `password` `passphrase` `passwd` `pwd` `Tokens` masks headers with the name: `Authorization` `Proxy-Authorization` `AccessToken` `Access-Token` `X-AccessToken` `X-Access-Token` `API-Key` `X-API-Key` `APIToken` `API-Token` `X-APIToken` `X-API-Token` `AuthToken` `Auth-Token` `X-AuthToken` `X-Auth-Token` `Client-Cert` `X-Client-Cert` `CSRFToken` `CSRF-Token` `X-CSRFToken` `X-CSRF-Token` `XSRFToken` `XSRF-Token` `X-XSRFToken` `X-XSRF-Token` `DPoP` `RequestVerificationToken` `RequestVerification-Token` `X-RequestVerificationToken` `X-RequestVerification-Token`	enum[]	no	`Credentials`, `Tokens`
headers	specifies matchers for HTTP request headers whose values must be masked before being written to logs.	object[]	no
parameters	specifies matchers for request parameters whose values must be masked before being written to logs.	object[]	no

LogMaskingPolicy.spec.request.headers[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a header.	object	no
value	defines the value of a header.	object	no

LogMaskingPolicy.spec.request.headers[].name

Field	Description	Type	Required	Default	Allowed Values
matcher	defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted.	object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

LogMaskingPolicy.spec.request.headers[].name.matcher

Field	Description	Type	Required
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

LogMaskingPolicy.spec.request.headers[].value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

LogMaskingPolicy.spec.request.headers[].value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

LogMaskingPolicy.spec.request.parameters[]

Field	Description	Type	Required	Default	Allowed Values
name	defines the name of a parameter.	object	no
value	defines the value of a parameter.	object	no

LogMaskingPolicy.spec.request.parameters[].name

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

LogMaskingPolicy.spec.request.parameters[].name.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no

LogMaskingPolicy.spec.request.parameters[].value

Field	Description	Type	Required	Default	Allowed Values
matcher		object	yes		`contains{}`, `exact{}`, `prefix{}`, `regex{}`, `suffix{}`

LogMaskingPolicy.spec.request.parameters[].value.matcher

Field	Description	Type	Required	Default	Allowed Values
contains	defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
exact	defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
ignoreCase	indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.	bool	no	`false`	`true`, `false`
prefix	defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
regex	defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set.	string	no
suffix	defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set.	string	no