apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.15.0 labels: app.kubernetes.io/name: airlock-microgateway-operator app.kubernetes.io/version: 4.3.0 name: denyrules.microgateway.airlock.com spec: group: microgateway.airlock.com names: categories: - airlock-microgateway kind: DenyRules listKind: DenyRulesList plural: denyrules singular: denyrules scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: |- DenyRules configures request filtering using Airlock built-in and custom deny rules. Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. To handle possible false positives, lower the security level or define fine-granular deny rule exceptions If undefined, default settings are applied, designed to work with most upstream web application services. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: Specification of the desired deny rules behavior. properties: request: description: Request configures deny rules for downstream requests. properties: builtIn: description: BuiltIn configures the built-in deny rules. properties: exceptions: description: Exceptions allows to define exceptions for specific requests and deny rules. items: description: |- DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). At least one of blockedData and requestConditions must be set. properties: blockedData: description: BlockedData defines an exception based on the request data causing the block. properties: graphQL: description: |- GraphQL defines an exception based on a blocked GraphQL query. Only one of parameter, header, path, pathSegment, json or graphQL can be set. properties: argument: description: |- Argument defines an argument of a field of the GraphQL query. At least one of field, argument and value must be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object field: description: |- Field defines a field of the GraphQL query. At least one of field, argument and value must be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: |- Value defines the value of an argument of the GraphQL query. At least one of field, argument and value must be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object header: description: |- Header defines an exception based on a blocked header. Only one of parameter, header, path, pathSegment, json or graphQL can be set. properties: name: description: Name defines the name of a header. properties: matcher: description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: Value defines the value of a header. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object json: description: |- JSON defines an exception based on a blocked JSON property. Only one of parameter, header, path, pathSegment, json or graphQL can be set. properties: jsonPath: description: |- JSONPath defines the JSONPath pattern to match the path within the JSON. Expressions in JSONPath i.e. `?(expr)` are not supported. minLength: 1 type: string key: description: |- Key defines the key of the JSON property. At most one of key and value can be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: |- Value defines the value of the JSON property. At most one of key and value can be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object parameter: description: |- Parameter defines an exception based on a blocked parameter. Only one of parameter, header, path, pathSegment, json or graphQL can be set. properties: name: description: Name defines the name of a parameter. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object source: default: Any description: Source defines the source of the parameter. enum: - Query - Post - Any type: string value: description: Value defines the value of a parameter. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object path: description: |- Path defines an exception based on the blocked path. Only one of parameter, header, path, pathSegment, json or graphQL can be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object pathSegment: description: |- PathSegment defines an exception based on a blocked path segment. Only one of parameter, header, path, pathSegment, json or graphQL can be set. properties: segments: description: Segments defines the position of a segment within the path. properties: index: description: Index specifies an exact path segment position by index (0-based). minimum: 0 type: integer type: object value: description: Value defines the value of a path segment. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object type: object requestConditions: description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. properties: header: description: Header defines the matching headers of a request. properties: name: description: Name defines the name of a header. properties: matcher: description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: Value defines the value of a header. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object invert: default: false description: Invert indicates whether the request condition should be inverted. type: boolean mediaType: description: MediaType defines the matching media type from the content-type header of a request. properties: matcher: description: |- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object method: description: Method defines the matching methods of a request. items: description: Method defines common HTTP methods. enum: - GET - HEAD - POST - PUT - PATCH - DELETE - CONNECT - OPTIONS - TRACE type: string type: array path: description: Path defines the matching path of a request. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object remoteIP: description: RemoteIP defines the matching remote IPs of a request. properties: cidrRanges: description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. items: description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. format: cidr type: string minItems: 1 type: array invert: default: false description: Invert indicates whether the match should be inverted. type: boolean required: - cidrRanges type: object type: object ruleKeys: description: RuleKeys restricts the exception to a set of deny rules. items: description: |- A deny rule name can be any of the following values: ENCODING | EXPLOIT | HPP | HTML | IDOR | LDAP | NOSQL | OGNL | PHP | PROTOCOL | SANITY | SCANNING | SQL | TEMPLATE | UNIXCMD | WINCMD | XSS enum: - ENCODING - EXPLOIT - HPP - HTML - IDOR - LDAP - NOSQL - OGNL - PHP - PROTOCOL - SANITY - SCANNING - SQL - TEMPLATE - UNIXCMD - WINCMD - XSS type: string minItems: 1 type: array type: object type: array overrides: description: Overrides allows to override the builtIn settings for specific deny rules. items: description: DenyRulesOverride allows to override the builtIn settings for specific deny rules. properties: conditions: description: Conditions select which built-in deny rules' settings will be adjusted. properties: ruleKeys: description: RuleKeys is a list of built-in deny rule names. items: description: |- A deny rule name can be any of the following values: ENCODING | EXPLOIT | HPP | HTML | IDOR | LDAP | NOSQL | OGNL | PHP | PROTOCOL | SANITY | SCANNING | SQL | TEMPLATE | UNIXCMD | WINCMD | XSS enum: - ENCODING - EXPLOIT - HPP - HTML - IDOR - LDAP - NOSQL - OGNL - PHP - PROTOCOL - SANITY - SCANNING - SQL - TEMPLATE - UNIXCMD - WINCMD - XSS type: string minItems: 1 type: array types: description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. items: description: |- A deny rule override type name can be any of the following values: Header | Parameter | Path | JSON | GraphQL enum: - Header - Parameter - Path - PathSegment - JSON - GraphQL type: string minItems: 0 type: array type: object settings: description: Settings override the corresponding properties for the selected rules. properties: level: description: Level specifies the filter strength. enum: - Unfiltered - Basic - Standard - Strict type: string threatHandlingMode: description: ThreatHandlingMode specifies how threats should be handled. enum: - Block - LogOnly type: string type: object type: object type: array settings: description: Settings contains the keys which will be adjusted. properties: level: default: Standard description: Level represents a set of deny rules with different filter strengths. enum: - Unfiltered - Basic - Standard - Strict type: string threatHandlingMode: default: Block description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. enum: - Block - LogOnly type: string type: object type: object custom: description: Custom allows configuring additional deny rules. properties: rules: description: Rules defines list of additional deny rules. items: properties: blockData: description: BlockData specifies the request data which should cause a block. properties: graphQL: description: |- GraphQL specifies to block requests containing a matching GraphQL property. At least one of field, argument and value must be set. properties: argument: description: |- Argument defines an argument of a field of the GraphQL query. At least one of field, argument and value must be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object field: description: |- Field defines a field of the GraphQL query. At least one of field, argument and value must be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: |- Value defines the value of an argument of the GraphQL query. At least one of field, argument and value must be set. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object header: description: |- Header specifies to block requests containing a matching header. Only one of parameter, header, path, pathSegment or json can be set. properties: name: description: Name defines the name of a header. properties: matcher: description: |- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: Value defines the value of a header. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object json: description: |- JSON specifies to block requests containing a matching JSON property in the body. Only one of parameter, header, path, pathSegment or json can be set. properties: key: description: Key defines the key of a JSON object. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: Value defines the value of a JSON object. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object parameter: description: |- Parameter specifies to block requests containing a matching parameter. Only one of parameter, header, path, pathSegment or json can be set. properties: name: description: Name defines the name of a parameter. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: Value defines the value of a parameter. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object path: description: |- Path specifies to block requests with a matching path. Only one of parameter, header, path, pathSegment or json can be set. properties: matcher: description: Matcher specifies which path to block. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object pathSegment: description: |- PathSegment specifies to block requests containing a matching path segment. Only one of parameter, header, path, pathSegment or json can be set. properties: segments: description: |- Segments restricts which path segments are filtered by this rule. If not specified, all segments of a path are filtered. properties: index: description: Index restricts the rule to the path segment at this index (0-based). minimum: 0 type: integer type: object value: description: Value specifies which path segment values to block. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object required: - value type: object type: object requestConditions: description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. properties: header: description: Header defines the matching headers of a request. properties: name: description: Name defines the name of a header. properties: matcher: description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object value: description: Value defines the value of a header. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object type: object invert: default: false description: Invert indicates whether the request condition should be inverted. type: boolean mediaType: description: MediaType defines the matching media type from the content-type header of a request. properties: matcher: description: |- NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object method: description: Method defines the matching methods of a request. items: description: Method defines common HTTP methods. enum: - GET - HEAD - POST - PUT - PATCH - DELETE - CONNECT - OPTIONS - TRACE type: string type: array path: description: Path defines the matching path of a request. properties: matcher: description: StringMatcher defines the way to match a string. properties: contains: description: |- Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string exact: description: |- Exact defines an explicit match on the string specified here. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string ignoreCase: default: false description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. type: boolean prefix: description: |- Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string regex: description: |- Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string suffix: description: |- Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. Only one of exact, prefix, suffix, regex or contains can be set. minLength: 1 type: string type: object required: - matcher type: object remoteIP: description: RemoteIP defines the matching remote IPs of a request. properties: cidrRanges: description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. items: description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. format: cidr type: string minItems: 1 type: array invert: default: false description: Invert indicates whether the match should be inverted. type: boolean required: - cidrRanges type: object type: object ruleKey: description: RuleKey defines a technical key for the deny rule. Must be unique. minLength: 1 pattern: ^[A-Z][A-Z0-9_]*$ type: string threatHandlingMode: default: Block description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. enum: - Block - LogOnly type: string required: - blockData - ruleKey type: object type: array x-kubernetes-list-map-keys: - ruleKey x-kubernetes-list-type: map type: object type: object type: object type: object served: true storage: true subresources: {}