ContentSecurityPolicy
microgateway.airlock.com/v1alpha1
ContentSecurityPolicy is a Direct Attached Policy for the Kubernetes Gateway API.
It defines a policy for filtering and mutating requests and responses to protect an upstream web application. Individual features can be customized using their dedicated CRDs which are referenced from this policy.
The default policy is designed to be secure and work with most web applications. Security can be further improved by e.g.,
- Enforcing an OpenAPI or GraphQL schema to protect API endpoints
- Enabling CSRF protection
- Increasing the deny rule strictness level
- Tightening request limits
If false positives are encountered (wrongly blocked requests), exceptions may also be configured in the relevant CRDs.
apiVersion: microgateway.airlock.com/v1alpha1
kind: ContentSecurityPolicy
metadata:
name: content-security-policy-example
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: backend
secured:
parserRef:
name: parser-example
limitsRef:
name: limits-example
headerRewritesRef:
name: header-rewrites-example
filter:
denyRulesRef:
name: deny-rules-example
apiProtectionRef:
name: api-protection-example
csrfProtectionRef:
name: csrf-protection-exampleContentSecurityPolicy
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired content security configuration. | object | yes | secured{...} |
secured{}, unsecured{} |
| status | describes the current status of the ContentSecurityPolicy. | PolicyStatus | no |
ContentSecurityPolicy.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| secured | enables WAF processing for the routes attached to this policy. | object | no | ||
| targetRefs | are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy. Support: HTTPRoute. |
LocalPolicyTargetReference[] | yes | ||
| unsecured | disables all WAF functionality and therefore protection for the routes attached to this policy. WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. |
object | no | {} |
ContentSecurityPolicy.spec.secured
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| apiProtectionRef | defines the relevant configurations to protect multiple APIs on different paths. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| csrfProtectionRef | selects the relevant CSRF configuration resource. If undefined, CSRF protection is disabled. |
object | no | ||
| filter | defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests to protect against various attack patterns. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| headerRewritesRef | selects the relevant HeaderRewrites. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| limitsRef | selects the relevant Limits configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| parserRef | selects the relevant Parser configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no |
ContentSecurityPolicy.spec.secured.apiProtectionRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurityPolicy.spec.secured.csrfProtectionRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurityPolicy.spec.secured.filter
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| denyRulesRef | selects the relevant DenyRules configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no |
ContentSecurityPolicy.spec.secured.filter.denyRulesRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurityPolicy.spec.secured.headerRewritesRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurityPolicy.spec.secured.limitsRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurityPolicy.spec.secured.parserRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |