Limits
microgateway.airlock.com/v1alpha1
Limits defines a policy for enforcing request content limits.
The default limits are designed to work with most web applications, but security can be further improved by tightening them according to the upstream application’s actual requirements.
apiVersion: microgateway.airlock.com/v1alpha1
kind: Limits
metadata:
name: limits-example
spec:
settings:
threatHandlingMode: Block
request:
limited:
general:
# Reduce the unparsed body size to '10Mi' to increase security.
bodySize: 10Mi
pathLength: 1Ki
parameter:
# Reduce the form data body size to '10Ki' to increase security.
bodySize: 10Ki
count: 128
nameLength: 128
# Reduce the maximum length to '1Ki'.
valueLength: 1Ki
json:
# Reduce the json data body size to '10Ki' to increase security.
bodySize: 10Ki
nestingDepth: 100
keyCount: 250
elementCount: 150000
keyLength: 128
valueLength: 8Ki
multipart:
# Reduce the multipart data body size to '10Mi' to increase security.
bodySize: 10Mi
graphQL:
# Reduce the query size to '512' to increase security.
querySize: 512
nestingDepth: 5
valueLength: 128
exceptions:
# Length exception for the JSON attribute $.logo when the path has prefix /project/
- length:
json:
jsonPath: "$.logo"
requestConditions:
path:
matcher:
prefix: /project/
# Length exception for the post parameter txtbdy
- length:
parameter:
name:
matcher:
exact: txtbdy
source: Post
# Length exception for value in the query: search(text)
- length:
graphQL:
field:
matcher:
exact: search
argument:
matcher:
exact: textapiVersion: microgateway.airlock.com/v1alpha1
kind: Limits
metadata:
name: default
spec:
settings:
threatHandlingMode: Block
request:
limited:
general:
bodySize: "100Mi"
pathLength: "1Ki"
parameter:
bodySize: "100Ki"
count: 128
nameLength: "128"
valueLength: "8Ki"
json:
bodySize: "100Ki"
nestingDepth: 100
keyCount: 250
elementCount: 10000
keyLength: "128"
valueLength: "8Ki"
multipart:
bodySize: "100Mi"
graphQL:
querySize: "1Ki"
nestingDepth: 10
valueLength: "256"Limits
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired limits. | object | no |
Limits.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| request | defines the limits for requests. | object | no | limited{...} |
limited{}, unlimited{} |
| settings | configures the limits filter. | object | no |
Limits.spec.request
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| limited | enables limits on request scope. | object | no | ||
| unlimited | disables all limits on request scope. | object | no | {} |
Limits.spec.request.limited
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| exceptions | defines limit exceptions. | object[] | no | ||
| general | defines general request limits. | object | no | ||
| graphQL | defines the limits for GraphQL requests. | object | no | ||
| json | defines the limits for JSON requests. | object | no | ||
| multipart | defines the limits for Multipart requests. | object | no | ||
| parameter | defines the limits for request parameters. | object | no |
Limits.spec.request.limited.exceptions[]
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| length | defines an exception for length limits based on the data element exceeding the limit. | object | no | graphQL{}, json{}, parameter{} |
|
| requestConditions | defines additional request properties which must all be matched in order for this exception to apply. | object | no |
Limits.spec.request.limited.exceptions[].length
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| graphQL | defines a field, argument or value length limit exception for a GraphQL query. | object | no | ||
| json | defines a key and value length limit exception for a JSON property. | object | no | ||
| parameter | defines a name and value length limit exception for a parameter. | object | no |
Limits.spec.request.limited.exceptions[].length.graphQL
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| argument | restricts the exception to GraphQL queries with a matching argument of a field. At least one of field, argument and value must be set. |
object | no | ||
| field | restricts the exception to GraphQL queries with a matching field. At least one of field, argument and value must be set. |
object | no | ||
| value | restricts the exception to GraphQL queries with a matching argument value. At least one of field, argument and value must be set. |
object | no |
Limits.spec.request.limited.exceptions[].length.graphQL.argument
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].length.graphQL.argument.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].length.graphQL.field
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].length.graphQL.field.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].length.graphQL.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].length.graphQL.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].length.json
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| jsonPath | restricts the exception to JSON properties with a matching JSONPath. Expressions in JSONPath i.e. ?(expr) are not supported. |
string | yes |
Limits.spec.request.limited.exceptions[].length.parameter
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | restricts the exception to parameters with a matching name. | object | yes | ||
| source | restricts the exception to parameters of this kind. | enum | no | Any |
Any, Post, Query |
Limits.spec.request.limited.exceptions[].length.parameter.name
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].length.parameter.name.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].requestConditions
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| header | defines the matching headers of a request. | object | no | ||
| invert | indicates whether the request condition should be inverted. | bool | no | false |
true, false |
| mediaType | defines the matching media type from the content-type header of a request. | object | no | ||
| method | defines the matching methods of a request. | enum[] | no | CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE |
|
| path | defines the matching path of a request. | object | no | ||
| remoteIP | defines the matching remote IPs of a request. Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection. |
object | no |
Limits.spec.request.limited.exceptions[].requestConditions.header
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | defines the name of a header. | object | no | ||
| value | defines the value of a header. | object | no |
Limits.spec.request.limited.exceptions[].requestConditions.header.name
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].requestConditions.header.name.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].requestConditions.header.value
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].requestConditions.header.value.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].requestConditions.mediaType
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].requestConditions.mediaType.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].requestConditions.path
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| matcher | object | yes | contains{}, exact{}, prefix{}, regex{}, suffix{} |
Limits.spec.request.limited.exceptions[].requestConditions.path.matcher
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| contains | defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| exact | defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| ignoreCase | indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). |
bool | no | false |
true, false |
| prefix | defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| regex | defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used. The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no | ||
| suffix | defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. |
string | no |
Limits.spec.request.limited.exceptions[].requestConditions.remoteIP
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| cidrRanges | defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. |
string[] | yes | ||
| invert | indicates whether the match should be inverted. | bool | no | false |
true, false |
Limits.spec.request.limited.general
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bodySize | limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. Note: This limit does not apply to WebSocket or gRPC traffic. |
Quantity | no | 100Mi |
|
| pathLength | defines the maximum path length for all requests (parsed and unparsed). | Quantity | no | 1Ki |
Limits.spec.request.limited.graphQL
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| nestingDepth | defines the maximum depth of nesting for GraphQL objects. | int64 | no | 10 |
[0, 9223372036854775807] |
| querySize | defines the maximum size for GraphQL queries. | Quantity | no | 1Ki |
|
| valueLength | defines the maximum length for GraphQL values. | Quantity | no | 256 |
Limits.spec.request.limited.json
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bodySize | limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited). | Quantity | no | 100Ki |
|
| elementCount | defines the maximum number of keys and array items in the whole JSON document (recursive). | int64 | no | 10000 |
[0, 9223372036854775807] |
| keyCount | defines the maximum number of keys of a single JSON object (non-recursive). | int64 | no | 250 |
[0, 9223372036854775807] |
| keyLength | defines the maximum length for JSON keys. | Quantity | no | 128 |
|
| nestingDepth | defines the maximum depth of nesting for JSON objects and JSON arrays. | int64 | no | 100 |
[0, 9223372036854775807] |
| valueLength | defines the maximum length for JSON values. | Quantity | no | 8Ki |
Limits.spec.request.limited.multipart
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bodySize | limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited). | Quantity | no | 100Mi |
Limits.spec.request.limited.parameter
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| bodySize | limits the total size of the form data body. It specifies the number of bytes (0 = unlimited). | Quantity | no | 100Ki |
|
| count | defines the maximum number of request parameters. | int64 | no | 128 |
[0, 9223372036854775807] |
| nameLength | defines the maximum length for parameter names. | Quantity | no | 128 |
|
| valueLength | defines the maximum length for parameter values. | Quantity | no | 8Ki |
Limits.spec.settings
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| threatHandlingMode | specifies how threats should be handled when a limit hits. | enum | no | Block |
Block, LogOnly |