AccessControl

microgateway.airlock.com/v1alpha1

AccessControl defines a rule-based policy for enforcing authentication, authorization and performing identity propagation.

apiVersion: microgateway.airlock.com/v1alpha1
kind: AccessControl
metadata:
  name: access-control-example
spec:
  policies:
    # Requests to /secure are only allowed if they satisfy the following conditions:
    # - user/client is authenticated via OIDC
    # - authenticated user has email ending in @company.com
    # - authenticated user has role admin
    - requestConditions:
        path:
          matcher:
            exact: /secure
      authorization:
        requireAll:
          - oidc:
              claim:
                name: email
                value:
                  matcher:
                    suffix: "@company.com"
          - oidc:
              claim:
                name: roles
                value:
                  matcher:
                    # Assuming roles claim is a JSON list, e.g. ["role1", "role2"].
                    contains: '"admin"'
        authentication:
          oidc:
            oidcRelyingPartyRef:
              name: oidc-example
            # Enable token introspection with a random strategy to limit the number of introspection requests.
            # I.e., for a particular session, for every request there is a 1 in 1000 chance that the request is being introspected.
            introspection:
              strategy:
                random:
                  probability: "0.1%"
      tokenExchange:
        onFailure: Block
        actions:
          - tokenExchangeRef:
              name: token-exchange-example
      identityPropagation:
        actions:
          - identityPropagationRef:
              name: identity-propagation-example
        onFailure: Pass
    # Requests to /api need to be authenticated via JWT and mTLS.
    - requestConditions:
        path:
          matcher:
            prefix: /api
      authorization:
        requireAll:
          - jwt:
              claim:
                name: sub
                value:
                  matcher:
                    prefix: "/group/a/"
          - clientCertificate:
              # API should only be accessible with specific client certificates.
              hash:
                in:
                  values:
                  - "69e4caf01b2b3490cd938b053274a2c9001c45c21b2cb58e3612c550568a42ca"
                  - "df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a"
          - clientCertificate:
              subject:
                field: Organization
                value:
                  matcher:
                    exact: "Company"
          - clientCertificate:
              san:
                type: Email
                value:
                  matcher:
                    suffix: "@company.com"
        authentication:
          jwt:
            jwtRef:
              name: jwt-example
    - requestConditions:
        path:
          matcher:
            exact: /secure-v2
      authorization:
        requireAll:
          - oidc:
              claim:
                name: email
                value:
                  matcher:
                    suffix: "@company.com"
          - oidc:
              claim:
                name: roles
                value:
                  matcher:
                    # Assuming roles claim is a JSON list, e.g. ["role1", "role2"].
                    contains: '"admin"'
        authentication:
          oidc:
            oidcRelyingPartyRef:
              name: oidc-example
            # Enable token introspection with a periodic strategy to limit the number of introspection requests.
            # I.e., for a particular session, requests arriving within 60s after the previous introspection call will not be introspected.
            introspection:
              strategy:
                periodic:
                  period: '60s'
    # Fallback policy: All other requests are allowed (authorization disabled).
    - authorization: {}

AccessControl

Field Description Type Required Default Allowed Values
metadata defines the resource’s metadata ObjectMeta yes
spec defines the desired access control configuration. object yes

AccessControl.spec

Field Description Type Required Default Allowed Values
policies configures access control policies. The first matching policy (from top to bottom) applies. object[] yes

AccessControl.spec.policies[]

Field Description Type Required Default Allowed Values
authorization configures how requests are authorized. An empty object value {} disables authorization. object yes
identityPropagation configures how the authenticated user’s identity is communicated to the protected application. object no
requestConditions defines additional request properties which must all be matched in order for this policy to apply. A policy without request conditions will always match.

WARNING: There is currently a limitation that if authentication.oidc is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (pathMapping.logoutPath / pathMapping.redirectPath).		 object no
tokenExchange configures how downstream authentication tokens (e.g. JWT or OIDC Access Token) are exchanged with an OAuth2 Token Exchange Server. object no

AccessControl.spec.policies[].authorization

Field Description Type Required Default Allowed Values
authentication specifies that clients need to be authenticated with the provided method. object no jwt{}, oidc{}
deny specifies to deny access for all requests matching this policy. object no {}
requireAll specifies conditions which must all be satisfied for the request to be authorized. object[] no
requireAny specifies conditions of which at least one must be satisfied for the request to be authorized. object[] no

AccessControl.spec.policies[].authorization.authentication

Field Description Type Required Default Allowed Values
jwt configures client authentication using JWT. object no
oidc configures client authentication using OpenID Connect. object no

AccessControl.spec.policies[].authorization.authentication.jwt

Field Description Type Required Default Allowed Values
jwtRef selects the JWT configuration to apply. object yes

AccessControl.spec.policies[].authorization.authentication.jwt.jwtRef

Field Description Type Required Default Allowed Values
name of the resource string yes

AccessControl.spec.policies[].authorization.authentication.oidc

Field Description Type Required Default Allowed Values
introspection configures how token introspection is performed. An empty object value {} defaults to the always strategy. object no
oidcRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. object yes

AccessControl.spec.policies[].authorization.authentication.oidc.introspection

Field Description Type Required Default Allowed Values
strategy defines the behavior for token introspection. object no always{...} always{}, periodic{}, random{}

AccessControl.spec.policies[].authorization.authentication.oidc.introspection.strategy

Field Description Type Required Default Allowed Values
always strategy defines a strategy for checking every request. object no
periodic strategy defines a time-based strategy for checking requests.
Introspection is non-blocking, concurrent requests proceed without delay.		 object no
random strategy defines a probabilistic strategy for checking the x-th request.
Introspection is non-blocking, concurrent requests proceed without delay.		 object no

AccessControl.spec.policies[].authorization.authentication.oidc.introspection.strategy.always

Field Description Type Required Default Allowed Values
onError specifies the behavior for a request if the token introspection returns an error, e.g., timeouts or 5xx errors.
Block: The current in-flight request is blocked.
InvalidateToken: Behaves as if the token introspection had returned false. This results in an invalidation of the current and requesting of a new token.
Pass: Behaves as if the token introspection had returned true.		 enum no Block Block, InvalidateToken, Pass

AccessControl.spec.policies[].authorization.authentication.oidc.introspection.strategy.periodic

Field Description Type Required Default Allowed Values
onError specifies the behavior for a request if the token introspection returns an error, e.g., timeouts or 5xx errors.
InvalidateToken: Behaves as if the token introspection had returned false. This results in an invalidation of the current and requesting of a new token.
Pass: Behaves as if the token introspection had returned true.		 enum no InvalidateToken InvalidateToken, Pass
period specifies the minimum time interval between token introspections for requests part of the same session. Once the interval has elapsed, introspection will be performed for the next request in the session.
Must be >= ‘1s’.		 string (duration) yes See link

AccessControl.spec.policies[].authorization.authentication.oidc.introspection.strategy.random

Field Description Type Required Default Allowed Values
onError specifies the behavior for a request if the token introspection returns an error, e.g., timeouts or 5xx errors.
InvalidateToken: Behaves as if the token introspection had returned false. This results in an invalidation of the current and requesting of a new token.
Pass: Behaves as if the token introspection had returned true.		 enum no InvalidateToken InvalidateToken, Pass
probability specifies the probability in % with which a request is selected to be introspected.
A valid value for probability must be from the range: [0.01%,99.99%].
To introspect the token on every request the always strategy must be used.		 string yes

AccessControl.spec.policies[].authorization.authentication.oidc.oidcRelyingPartyRef

Field Description Type Required Default Allowed Values
name of the resource string yes

AccessControl.spec.policies[].authorization.requireAll[]

Field Description Type Required Default Allowed Values
clientCertificate specifies a condition on the presented client certificate.
If no client certificate is presented, the condition is never satisfied.		 object no hash{}, issuer{}, san{}, subject{}
jwt specifies a condition on the JWT. object no
oidc specifies a condition on the result of an OpenID Connect flow. object no
tokenExchange specifies a condition on the exchanged token. object no

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate

Field Description Type Required Default Allowed Values
hash specifies a condition on the SHA256 hash/fingerprint of the DER encoded presented client certificate. object no
issuer specifies a condition on the issuer fields of the presented client certificate.
Note: For security reasons, only client certificates passing TLS validation can satisfy this condition.		 object no
san specifies a condition on the subject alternative names of the presented client certificate.
Note: For security reasons, only client certificates passing TLS validation can satisfy this condition.		 object no
subject specifies a condition on the subject fields of the presented client certificate.
Note: For security reasons, only client certificates passing TLS validation can satisfy this condition.		 object no

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.hash

Field Description Type Required Default Allowed Values
in specifies that the hash must match one of these values. object yes values{}, valuesFrom{}

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.hash.in

Field Description Type Required Default Allowed Values
values is a list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). string[] no
valuesFrom selects the source from which to extract the list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). object no

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.hash.in.valuesFrom

Field Description Type Required Default Allowed Values
configMapRef defines the reference to a configmap containing a list of hex-encoded SHA-256 hashes under the key ‘fingerprints.txt’. Each line represents one fingerprint, blank lines and comments beginning with ‘#’ are ignored. object yes

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.hash.in.valuesFrom.configMapRef

Field Description Type Required Default Allowed Values
name of the resource string yes

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.issuer

Field Description Type Required Default Allowed Values
field selects the issuer field to match. enum yes CommonName, Country, Locality, Organization, OrganizationalUnit, State
value which the selected issuer field must match.
If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match.		 object yes

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.issuer.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.issuer.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.san

Field Description Type Required Default Allowed Values
type selects the SAN type to match. enum yes DNS, Email, IPAddress, URI
value which at least one of the subject alternative names of the specified type must match. object yes

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.san.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.san.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.subject

Field Description Type Required Default Allowed Values
field selects the subject field to match. enum yes CommonName, Country, Locality, Organization, OrganizationalUnit, State
value which the selected subject field must match.
If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match.		 object yes

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.subject.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAll[].clientCertificate.subject.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAll[].jwt

Field Description Type Required Default Allowed Values
claim specifies a condition on a JWT claim. object yes

AccessControl.spec.policies[].authorization.requireAll[].jwt.claim

Field Description Type Required Default Allowed Values
name of the claim. string yes
value of the claim. If not specified, only existence of the claim is checked (any value is allowed).

Value matching is only supported if the data type of the claim is either primitive (number, boolean, string) or array of primitives.
In case of a non-string value, the match will be performed against the stringified value.

If the claim has an unsupported data type (e.g. object or null), its value will never match.		 object no

AccessControl.spec.policies[].authorization.requireAll[].jwt.claim.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAll[].jwt.claim.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAll[].oidc

Field Description Type Required Default Allowed Values
claim specifies a condition on an ID token claim. object yes

AccessControl.spec.policies[].authorization.requireAll[].oidc.claim

Field Description Type Required Default Allowed Values
name of the claim. string yes
value of the claim. If not specified, only existence of the claim is checked (any value is allowed).

Value matching is only supported if the data type of the claim is either primitive (number, boolean, string) or array of primitives.
In case of a non-string value, the match will be performed against the stringified value.

If the claim has an unsupported data type (e.g. object or null), its value will never match.		 object no

AccessControl.spec.policies[].authorization.requireAll[].oidc.claim.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAll[].oidc.claim.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAll[].tokenExchange

Field Description Type Required Default Allowed Values
claim specifies a condition on a JWT or ID token claim of on the exchanged token. object yes

AccessControl.spec.policies[].authorization.requireAll[].tokenExchange.claim

Field Description Type Required Default Allowed Values
name of the claim. string yes
value of the claim. If not specified, only existence of the claim is checked (any value is allowed).

Value matching is only supported if the data type of the claim is either primitive (number, boolean, string) or array of primitives.
In case of a non-string value, the match will be performed against the stringified value.

If the claim has an unsupported data type (e.g. object or null), its value will never match.		 object no

AccessControl.spec.policies[].authorization.requireAll[].tokenExchange.claim.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAll[].tokenExchange.claim.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAny[]

Field Description Type Required Default Allowed Values
clientCertificate specifies a condition on the presented client certificate.
If no client certificate is presented, the condition is never satisfied.		 object no hash{}, issuer{}, san{}, subject{}
jwt specifies a condition on the JWT. object no
oidc specifies a condition on the result of an OpenID Connect flow. object no
tokenExchange specifies a condition on the exchanged token. object no

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate

Field Description Type Required Default Allowed Values
hash specifies a condition on the SHA256 hash/fingerprint of the DER encoded presented client certificate. object no
issuer specifies a condition on the issuer fields of the presented client certificate.
Note: For security reasons, only client certificates passing TLS validation can satisfy this condition.		 object no
san specifies a condition on the subject alternative names of the presented client certificate.
Note: For security reasons, only client certificates passing TLS validation can satisfy this condition.		 object no
subject specifies a condition on the subject fields of the presented client certificate.
Note: For security reasons, only client certificates passing TLS validation can satisfy this condition.		 object no

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.hash

Field Description Type Required Default Allowed Values
in specifies that the hash must match one of these values. object yes values{}, valuesFrom{}

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.hash.in

Field Description Type Required Default Allowed Values
values is a list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). string[] no
valuesFrom selects the source from which to extract the list of hex encoded SHA256 hashes (e.g., df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a) or fingerprints (e.g., DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A). object no

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.hash.in.valuesFrom

Field Description Type Required Default Allowed Values
configMapRef defines the reference to a configmap containing a list of hex-encoded SHA-256 hashes under the key ‘fingerprints.txt’. Each line represents one fingerprint, blank lines and comments beginning with ‘#’ are ignored. object yes

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.hash.in.valuesFrom.configMapRef

Field Description Type Required Default Allowed Values
name of the resource string yes

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.issuer

Field Description Type Required Default Allowed Values
field selects the issuer field to match. enum yes CommonName, Country, Locality, Organization, OrganizationalUnit, State
value which the selected issuer field must match.
If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match.		 object yes

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.issuer.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.issuer.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.san

Field Description Type Required Default Allowed Values
type selects the SAN type to match. enum yes DNS, Email, IPAddress, URI
value which at least one of the subject alternative names of the specified type must match. object yes

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.san.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.san.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.subject

Field Description Type Required Default Allowed Values
field selects the subject field to match. enum yes CommonName, Country, Locality, Organization, OrganizationalUnit, State
value which the selected subject field must match.
If the selected field occurs multiple times in the certificate (e.g., multiple organizational units), the value of at least one of them must match.		 object yes

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.subject.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAny[].clientCertificate.subject.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAny[].jwt

Field Description Type Required Default Allowed Values
claim specifies a condition on a JWT claim. object yes

AccessControl.spec.policies[].authorization.requireAny[].jwt.claim

Field Description Type Required Default Allowed Values
name of the claim. string yes
value of the claim. If not specified, only existence of the claim is checked (any value is allowed).

Value matching is only supported if the data type of the claim is either primitive (number, boolean, string) or array of primitives.
In case of a non-string value, the match will be performed against the stringified value.

If the claim has an unsupported data type (e.g. object or null), its value will never match.		 object no

AccessControl.spec.policies[].authorization.requireAny[].jwt.claim.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAny[].jwt.claim.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAny[].oidc

Field Description Type Required Default Allowed Values
claim specifies a condition on an ID token claim. object yes

AccessControl.spec.policies[].authorization.requireAny[].oidc.claim

Field Description Type Required Default Allowed Values
name of the claim. string yes
value of the claim. If not specified, only existence of the claim is checked (any value is allowed).

Value matching is only supported if the data type of the claim is either primitive (number, boolean, string) or array of primitives.
In case of a non-string value, the match will be performed against the stringified value.

If the claim has an unsupported data type (e.g. object or null), its value will never match.		 object no

AccessControl.spec.policies[].authorization.requireAny[].oidc.claim.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAny[].oidc.claim.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].authorization.requireAny[].tokenExchange

Field Description Type Required Default Allowed Values
claim specifies a condition on a JWT or ID token claim of on the exchanged token. object yes

AccessControl.spec.policies[].authorization.requireAny[].tokenExchange.claim

Field Description Type Required Default Allowed Values
name of the claim. string yes
value of the claim. If not specified, only existence of the claim is checked (any value is allowed).

Value matching is only supported if the data type of the claim is either primitive (number, boolean, string) or array of primitives.
In case of a non-string value, the match will be performed against the stringified value.

If the claim has an unsupported data type (e.g. object or null), its value will never match.		 object no

AccessControl.spec.policies[].authorization.requireAny[].tokenExchange.claim.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].authorization.requireAny[].tokenExchange.claim.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].identityPropagation

Field Description Type Required Default Allowed Values
actions specifies the propagation actions. object[] yes
onFailure configures what should happen, if an identity propagation fails. Meaning of the possible values:
Pass: The request should be forwarded to the upstream, without including the information from the failed identity propagations.		 enum yes Pass

AccessControl.spec.policies[].identityPropagation.actions[]

Field Description Type Required Default Allowed Values
identityPropagationRef selects an IdentityPropagation to apply. object yes

AccessControl.spec.policies[].identityPropagation.actions[].identityPropagationRef

Field Description Type Required Default Allowed Values
name of the resource string yes

AccessControl.spec.policies[].requestConditions

Field Description Type Required Default Allowed Values
header defines the matching headers of a request. object no
invert indicates whether the request condition should be inverted. bool no false true, false
mediaType defines the matching media type from the content-type header of a request. object no
method defines the matching methods of a request. enum[] no CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE
path defines the matching path of a request. object no
remoteIP defines the matching remote IPs of a request.
Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection.		 object no

AccessControl.spec.policies[].requestConditions.header

Field Description Type Required Default Allowed Values
name defines the name of a header. object no
value defines the value of a header. object no

AccessControl.spec.policies[].requestConditions.header.name

Field Description Type Required Default Allowed Values
matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].requestConditions.header.name.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].requestConditions.header.value

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].requestConditions.header.value.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].requestConditions.mediaType

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].requestConditions.mediaType.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].requestConditions.path

Field Description Type Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

AccessControl.spec.policies[].requestConditions.path.matcher

Field Description Type Required Default Allowed Values
contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
ignoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). bool no false true, false
prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no
suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 string no

AccessControl.spec.policies[].requestConditions.remoteIP

Field Description Type Required Default Allowed Values
cidrRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. string[] yes
invert indicates whether the match should be inverted. bool no false true, false

AccessControl.spec.policies[].tokenExchange

Field Description Type Required Default Allowed Values
actions specifies the chain of token exchange actions to execute. object[] yes
onFailure configures what should happen, if the token exchange fails. Meaning of the possible values:
Block: The downstream request is blocked.
Pass: Processing of the downstream request will proceed, but no exchanged token will be available (e.g. for identity propagation).		 enum no Block Block, Pass

AccessControl.spec.policies[].tokenExchange.actions[]

Field Description Type Required Default Allowed Values
tokenExchangeRef selects a TokenExchange to perform. object yes

AccessControl.spec.policies[].tokenExchange.actions[].tokenExchangeRef

Field Description Type Required Default Allowed Values
name of the resource string yes