APIProtection

microgateway.airlock.com/v1alpha1

APIProtection contains the configuration for API security.

apiVersion: microgateway.airlock.com/v1alpha1
kind: APIProtection
metadata:
  name: api-protection-example
spec:
  policies:
    - name: My REST API exception
      requestConditions:
        path:
          matcher:
            prefix: /rest/no-validation
      noValidation: {}
    - name: My REST API
      requestConditions:
        path:
          matcher:
            prefix: /rest
      openAPIRef:
        name: open-api-example
    - name: My GraphQL API
      requestConditions:
        path:
          matcher:
            prefix: /graphql
      graphQLRef:
        name: graphql-example
apiVersion: microgateway.airlock.com/v1alpha1
kind: APIProtection
metadata:
  name: default
spec: {}

APIProtection

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specifies the options to define API protection settings. no

APIProtection.spec

Field Type Description Required Default Allowed Values
policies object[] Policies defines the policies for API protection of downstream requests. no

APIProtection.spec.policies[]

Field Type Description Required Default Allowed Values
graphQLRef object GraphQLRef enables and configures GraphQL validation for requests matching this policy.
If undefined, default settings are applied, designed to work with most upstream web application services.		 no
name string Name describing the configured policy. Must be unique. yes
noValidation object NoValidation disables API protection for requests matching this policy. no
openAPIRef object OpenAPIRef enables and configures OpenAPI validation for requests matching this policy.
If undefined, default settings are applied, designed to work with most upstream web application services.		 no
requestConditions object RequestConditions defines additional request properties which must all be matched in order for this policy to apply. no

APIProtection.spec.policies[].graphQLRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

APIProtection.spec.policies[].openAPIRef

Field Type Description Required Default Allowed Values
name string Name of the resource yes

APIProtection.spec.policies[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request.
Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection.		 no

APIProtection.spec.policies[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

APIProtection.spec.policies[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes contains{}, exact{}, prefix{}, regex{}, suffix{}

APIProtection.spec.policies[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

APIProtection.spec.policies[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

APIProtection.spec.policies[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

APIProtection.spec.policies[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

APIProtection.spec.policies[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

APIProtection.spec.policies[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

APIProtection.spec.policies[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

APIProtection.spec.policies[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false