Limits

microgateway.airlock.com/v1alpha1

Limits contains the configuration for limits.

apiVersion: microgateway.airlock.com/v1alpha1
kind: Limits
metadata:
  name: limits-example
spec:
  settings:
    threatHandlingMode: Block
  request:
    limited:
      general:
        # Reduce the unparsed body size to '10Mi' to increase security.
        bodySize: 10Mi
        pathLength: 1Ki
      parameter:
        # Reduce the form data body size to '10Ki' to increase security.
        bodySize: 10Ki
        count: 128
        nameLength: 128
        # Reduce the maximum length to '1Ki'.
        valueLength: 1Ki
      json:
        # Reduce the json data body size to '10Ki' to increase security.
        bodySize: 10Ki
        nestingDepth: 100
        keyCount: 250
        elementCount: 150000
        keyLength: 128
        valueLength: 8Ki
      multipart:
        # Reduce the multipart data body size to '10Mi' to increase security.
        bodySize: 10Mi
      graphQL:
        # Reduce the query size to '512' to increase security.
        querySize: 512
        nestingDepth: 5
        valueLength: 128
      exceptions:
        # Length exception for the JSON attribute $.logo when the path has prefix /project/
        - length:
            json:
              jsonPath: "$.logo"
          requestConditions:
            path:
              matcher:
                prefix: /project/
        # Length exception for the post parameter txtbdy
        - length:
            parameter:
              name:
                matcher:
                  exact: txtbdy
              source: Post
        # Length exception for value in the query: search(text)
        - length:
            graphQL:
              field:
                matcher:
                  exact: search
              argument:
                matcher:
                  exact: text
apiVersion: microgateway.airlock.com/v1alpha1
kind: Limits
metadata:
  name: default
spec: 
  settings: 
    threatHandlingMode: Block
  request: 
    limited: 
      general: 
        bodySize: "100Mi"
        pathLength: "1Ki"
      parameter: 
        bodySize: "100Ki"
        count: 128
        nameLength: "128"
        valueLength: "8Ki"
      json: 
        bodySize: "100Ki"
        nestingDepth: 100
        keyCount: 250
        elementCount: 10000
        keyLength: "128"
        valueLength: "8Ki"
      multipart: 
        bodySize: "100Mi"
      graphQL: 
        querySize: "1Ki"
        nestingDepth: 10
        valueLength: "256"

Limits

Field Type Description Required Default Allowed Values
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata yes
spec object Specification of the desired limits behavior. no

Limits.spec

Field Type Description Required Default Allowed Values
request object Request defines the limits for requests. no limited{...} limited{}, unlimited{}
settings object Settings configures the limits filter. no

Limits.spec.request

Field Type Description Required Default Allowed Values
limited object Limited enables limits on request scope. no
unlimited object Unlimited disables all limits on request scope. no

Limits.spec.request.limited

Field Type Description Required Default Allowed Values
exceptions object[] Exceptions defines limit exceptions. no
general object General defines general request limits. no
graphQL object GraphQL defines the limits for GraphQL requests. no
json object JSON defines the limits for JSON requests. no
multipart object Multipart defines the limits for Multipart requests. no
parameter object Parameter defines the limits for request parameters. no

Limits.spec.request.limited.exceptions[]

Field Type Description Required Default Allowed Values
length object Length defines an exception for length limits based on the data element exceeding the limit. no graphQL{}, json{}, parameter{}
requestConditions object RequestConditions defines additional request properties which must all be matched in order for this exception to apply. no

Limits.spec.request.limited.exceptions[].length

Field Type Description Required Default Allowed Values
graphQL object GraphQL defines a field, argument or value length limit exception for a GraphQL query. no
json object JSON defines a key and value length limit exception for a JSON property. no
parameter object Parameter defines a name and value length limit exception for a parameter. no

Limits.spec.request.limited.exceptions[].length.graphQL

Field Type Description Required Default Allowed Values
argument object Argument restricts the exception to GraphQL queries with a matching argument of a field.
At least one of field, argument and value must be set.		 no
field object Field restricts the exception to GraphQL queries with a matching field.
At least one of field, argument and value must be set.		 no
value object Value restricts the exception to GraphQL queries with a matching argument value.
At least one of field, argument and value must be set.		 no

Limits.spec.request.limited.exceptions[].length.graphQL.argument

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].length.graphQL.argument.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].length.graphQL.field

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].length.graphQL.field.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].length.graphQL.value

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].length.graphQL.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].length.json

Field Type Description Required Default Allowed Values
jsonPath string JSONPath restricts the exception to JSON properties with a matching JSONPath.
Expressions in JSONPath i.e. ?(expr) are not supported.		 yes

Limits.spec.request.limited.exceptions[].length.parameter

Field Type Description Required Default Allowed Values
name object Name restricts the exception to parameters with a matching name. yes
source enum Source restricts the exception to parameters of this kind. no Any Any, Post, Query

Limits.spec.request.limited.exceptions[].length.parameter.name

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].length.parameter.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].requestConditions

Field Type Description Required Default Allowed Values
header object Header defines the matching headers of a request. no
invert bool Invert indicates whether the request condition should be inverted. no false true, false
mediaType object MediaType defines the matching media type from the content-type header of a request. no
method enum[] Method defines the matching methods of a request. no CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE
path object Path defines the matching path of a request. no
remoteIP object RemoteIP defines the matching remote IPs of a request.
Note: Depending on your setup you may need to adapt the remoteIP configuration in the SidecarGateway / GatewayParameters resource to ensure correct client IP detection.		 no

Limits.spec.request.limited.exceptions[].requestConditions.header

Field Type Description Required Default Allowed Values
name object Name defines the name of a header. no
value object Value defines the value of a header. no

Limits.spec.request.limited.exceptions[].requestConditions.header.name

Field Type Description Required Default Allowed Values
matcher object Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can’t be inverted. yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].requestConditions.header.name.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].requestConditions.header.value

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].requestConditions.header.value.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].requestConditions.mediaType

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].requestConditions.mediaType.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].requestConditions.path

Field Type Description Required Default Allowed Values
matcher object yes contains{}, exact{}, prefix{}, regex{}, suffix{}

Limits.spec.request.limited.exceptions[].requestConditions.path.matcher

Field Type Description Required Default Allowed Values
contains string Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
exact string Exact defines an explicit match on the string specified here.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
ignoreCase bool IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group (?i:...). no false true, false
prefix string Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
regex string Regex defines a regex match on the regular expression specified here. Google’s RE2 regex engine is used.
The regex matches only single-line by default, even with “.*”. To match a multi-line string prepend (?s) to your regex.
Only one of exact, prefix, suffix, regex or contains can be set.		 no
suffix string Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
Only one of exact, prefix, suffix, regex or contains can be set.		 no

Limits.spec.request.limited.exceptions[].requestConditions.remoteIP

Field Type Description Required Default Allowed Values
cidrRanges string[] CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. 196.148.3.128/26 or 2001:db8::/28. yes
invert bool Invert indicates whether the match should be inverted. no false true, false

Limits.spec.request.limited.general

Field Type Description Required Default Allowed Values
bodySize Quantity BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. Note This limit does not apply to WebSocket or gRPC traffic. no 100Mi
pathLength Quantity PathLength defines the maximum path length for all requests (parsed and unparsed). no 1Ki

Limits.spec.request.limited.graphQL

Field Type Description Required Default Allowed Values
nestingDepth uint64 NestingDepth defines the maximum depth of nesting for GraphQL objects. no 10 [0, 18446744073709551615]
querySize Quantity QuerySize defines the maximum size for GraphQL queries. no 1Ki
valueLength Quantity ValueLength defines the maximum length for GraphQL values. no 256

Limits.spec.request.limited.json

Field Type Description Required Default Allowed Values
bodySize Quantity BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited). no 100Ki
elementCount uint64 ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). no 10000 [0, 18446744073709551615]
keyCount uint64 KeyCount defines the maximum number of keys of a single JSON object (non-recursive). no 250 [0, 18446744073709551615]
keyLength Quantity KeyLength defines the maximum length for JSON keys. no 128
nestingDepth uint64 NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. no 100 [0, 18446744073709551615]
valueLength Quantity ValueLength defines the maximum length for JSON values. no 8Ki

Limits.spec.request.limited.multipart

Field Type Description Required Default Allowed Values
bodySize Quantity BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited). no 100Mi

Limits.spec.request.limited.parameter

Field Type Description Required Default Allowed Values
bodySize Quantity BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited). no 100Ki
count uint64 Count defines the maximum number of request parameters. no 128 [0, 18446744073709551615]
nameLength Quantity NameLength defines the maximum length for parameter names. no 128
valueLength Quantity ValueLength defines the maximum length for parameter values. no 8Ki

Limits.spec.settings

Field Type Description Required Default Allowed Values
threatHandlingMode enum ThreatHandlingMode specifies how threats should be handled when a limit hits. no Block Block, LogOnly