APIProtection
microgateway.airlock.com/v1alpha1
APIProtection defines a rule-based policy for enforcing API conformance via e.g., OpenAPI or GraphQL validation.
Different schemas can be applied to different paths based on request conditions.
apiVersion: microgateway.airlock.com/v1alpha1
kind: APIProtection
metadata:
name: api-protection-example
spec:
policies:
- name: My REST API exception
requestConditions:
path:
matcher:
prefix: /rest/no-validation
noValidation: {}
- name: My REST API
requestConditions:
path:
matcher:
prefix: /rest
openAPIRef:
name: open-api-example
- name: My GraphQL API
requestConditions:
path:
matcher:
prefix: /graphql
graphQLRef:
name: graphql-exampleAPIProtection
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired API protection configuration. | object | no |
APIProtection.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| policies | defines the policies for API protection of downstream requests. | object[] | no |
APIProtection.spec.policies[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| graphQLRef | enables and configures GraphQL validation for requests matching this policy. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| name | describing the configured policy. Must be unique. | string | yes | ||
| noValidation | disables API protection for requests matching this policy. | object | no | {} |
|
| openAPIRef | enables and configures OpenAPI validation for requests matching this policy. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| requestConditions | defines additional request properties which must all be matched in order for this policy to apply. | object | no |
APIProtection.spec.policies[].graphQLRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
APIProtection.spec.policies[].openAPIRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
APIProtection.spec.policies[].requestConditions
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| header | defines the matching headers of a request. | object | no | ||
| invert | indicates whether the request condition should be inverted. | bool | no | false |
true, false |
| mediaType | defines the matching media type from the content-type header of a request. | object | no | ||
| method | defines the matching methods of a request. | enum[] | no | CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE |
|
| path | defines the matching path of a request. | object | no | ||
| remoteIP | defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection. |
object | no |
APIProtection.spec.policies[].requestConditions.header
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | defines the name of a header. | object | no | ||
| value | defines the value of a header. | object | no |
APIProtection.spec.policies[].requestConditions.header.name
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
APIProtection.spec.policies[].requestConditions.header.name.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
APIProtection.spec.policies[].requestConditions.header.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
APIProtection.spec.policies[].requestConditions.header.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
APIProtection.spec.policies[].requestConditions.mediaType
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
APIProtection.spec.policies[].requestConditions.mediaType.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
APIProtection.spec.policies[].requestConditions.path
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
APIProtection.spec.policies[].requestConditions.path.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
APIProtection.spec.policies[].requestConditions.remoteIP
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| cidrRanges | defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. |
string[] | yes | ||
| invert | indicates whether the match should be inverted. | bool | no | false |
true, false |