1805 lines
135 KiB
YAML
1805 lines
135 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.15.0
|
|
labels:
|
|
app.kubernetes.io/name: airlock-microgateway-operator
|
|
app.kubernetes.io/version: 4.3.0
|
|
name: denyrules.microgateway.airlock.com
|
|
spec:
|
|
group: microgateway.airlock.com
|
|
names:
|
|
categories:
|
|
- airlock-microgateway
|
|
kind: DenyRules
|
|
listKind: DenyRulesList
|
|
plural: denyrules
|
|
singular: denyrules
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: |-
|
|
DenyRules configures request filtering using Airlock built-in and custom deny rules.
|
|
Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application.
|
|
To handle possible false positives, lower the security level or define fine-granular deny rule exceptions
|
|
If undefined, default settings are applied, designed to work with most upstream web application services.
|
|
properties:
|
|
apiVersion:
|
|
description: |-
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
may reject unrecognized values.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
|
type: string
|
|
kind:
|
|
description: |-
|
|
Kind is a string value representing the REST resource this object represents.
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
Cannot be updated.
|
|
In CamelCase.
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Specification of the desired deny rules behavior.
|
|
properties:
|
|
request:
|
|
description: Request configures deny rules for downstream requests.
|
|
properties:
|
|
builtIn:
|
|
description: BuiltIn configures the built-in deny rules.
|
|
properties:
|
|
exceptions:
|
|
description: Exceptions allows to define exceptions for specific requests and deny rules.
|
|
items:
|
|
description: |-
|
|
DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked).
|
|
At least one of blockedData and requestConditions must be set.
|
|
properties:
|
|
blockedData:
|
|
description: BlockedData defines an exception based on the request data causing the block.
|
|
properties:
|
|
graphQL:
|
|
description: |-
|
|
GraphQL defines an exception based on a blocked GraphQL query.
|
|
Only one of parameter, header, path, pathSegment, json or graphQL can be set.
|
|
properties:
|
|
argument:
|
|
description: |-
|
|
Argument defines an argument of a field of the GraphQL query.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
field:
|
|
description: |-
|
|
Field defines a field of the GraphQL query.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: |-
|
|
Value defines the value of an argument of the GraphQL query.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
header:
|
|
description: |-
|
|
Header defines an exception based on a blocked header.
|
|
Only one of parameter, header, path, pathSegment, json or graphQL can be set.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of a header.
|
|
properties:
|
|
matcher:
|
|
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a header.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
json:
|
|
description: |-
|
|
JSON defines an exception based on a blocked JSON property.
|
|
Only one of parameter, header, path, pathSegment, json or graphQL can be set.
|
|
properties:
|
|
jsonPath:
|
|
description: |-
|
|
JSONPath defines the JSONPath pattern to match the path within the JSON.
|
|
Expressions in JSONPath i.e. `?(expr)` are not supported.
|
|
minLength: 1
|
|
type: string
|
|
key:
|
|
description: |-
|
|
Key defines the key of the JSON property.
|
|
At most one of key and value can be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: |-
|
|
Value defines the value of the JSON property.
|
|
At most one of key and value can be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
parameter:
|
|
description: |-
|
|
Parameter defines an exception based on a blocked parameter.
|
|
Only one of parameter, header, path, pathSegment, json or graphQL can be set.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of a parameter.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
source:
|
|
default: Any
|
|
description: Source defines the source of the parameter.
|
|
enum:
|
|
- Query
|
|
- Post
|
|
- Any
|
|
type: string
|
|
value:
|
|
description: Value defines the value of a parameter.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
path:
|
|
description: |-
|
|
Path defines an exception based on the blocked path.
|
|
Only one of parameter, header, path, pathSegment, json or graphQL can be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
pathSegment:
|
|
description: |-
|
|
PathSegment defines an exception based on a blocked path segment.
|
|
Only one of parameter, header, path, pathSegment, json or graphQL can be set.
|
|
properties:
|
|
segments:
|
|
description: Segments defines the position of a segment within the path.
|
|
properties:
|
|
index:
|
|
description: Index specifies an exact path segment position by index (0-based).
|
|
minimum: 0
|
|
type: integer
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a path segment.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
type: object
|
|
requestConditions:
|
|
description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked.
|
|
properties:
|
|
header:
|
|
description: Header defines the matching headers of a request.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of a header.
|
|
properties:
|
|
matcher:
|
|
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a header.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
invert:
|
|
default: false
|
|
description: Invert indicates whether the request condition should be inverted.
|
|
type: boolean
|
|
mediaType:
|
|
description: MediaType defines the matching media type from the content-type header of a request.
|
|
properties:
|
|
matcher:
|
|
description: |-
|
|
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
|
|
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
method:
|
|
description: Method defines the matching methods of a request.
|
|
items:
|
|
description: Method defines common HTTP methods.
|
|
enum:
|
|
- GET
|
|
- HEAD
|
|
- POST
|
|
- PUT
|
|
- PATCH
|
|
- DELETE
|
|
- CONNECT
|
|
- OPTIONS
|
|
- TRACE
|
|
type: string
|
|
type: array
|
|
path:
|
|
description: Path defines the matching path of a request.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
remoteIP:
|
|
description: RemoteIP defines the matching remote IPs of a request.
|
|
properties:
|
|
cidrRanges:
|
|
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
|
|
items:
|
|
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
|
|
format: cidr
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
invert:
|
|
default: false
|
|
description: Invert indicates whether the match should be inverted.
|
|
type: boolean
|
|
required:
|
|
- cidrRanges
|
|
type: object
|
|
type: object
|
|
ruleKeys:
|
|
description: RuleKeys restricts the exception to a set of deny rules.
|
|
items:
|
|
description: |-
|
|
A deny rule name can be any of the following values:
|
|
ENCODING |
|
|
EXPLOIT |
|
|
HPP |
|
|
HTML |
|
|
IDOR |
|
|
LDAP |
|
|
NOSQL |
|
|
OGNL |
|
|
PHP |
|
|
PROTOCOL |
|
|
SANITY |
|
|
SCANNING |
|
|
SQL |
|
|
TEMPLATE |
|
|
UNIXCMD |
|
|
WINCMD |
|
|
XSS
|
|
enum:
|
|
- ENCODING
|
|
- EXPLOIT
|
|
- HPP
|
|
- HTML
|
|
- IDOR
|
|
- LDAP
|
|
- NOSQL
|
|
- OGNL
|
|
- PHP
|
|
- PROTOCOL
|
|
- SANITY
|
|
- SCANNING
|
|
- SQL
|
|
- TEMPLATE
|
|
- UNIXCMD
|
|
- WINCMD
|
|
- XSS
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
type: object
|
|
type: array
|
|
overrides:
|
|
description: Overrides allows to override the builtIn settings for specific deny rules.
|
|
items:
|
|
description: DenyRulesOverride allows to override the builtIn settings for specific deny rules.
|
|
properties:
|
|
conditions:
|
|
description: Conditions select which built-in deny rules' settings will be adjusted.
|
|
properties:
|
|
ruleKeys:
|
|
description: RuleKeys is a list of built-in deny rule names.
|
|
items:
|
|
description: |-
|
|
A deny rule name can be any of the following values:
|
|
ENCODING |
|
|
EXPLOIT |
|
|
HPP |
|
|
HTML |
|
|
IDOR |
|
|
LDAP |
|
|
NOSQL |
|
|
OGNL |
|
|
PHP |
|
|
PROTOCOL |
|
|
SANITY |
|
|
SCANNING |
|
|
SQL |
|
|
TEMPLATE |
|
|
UNIXCMD |
|
|
WINCMD |
|
|
XSS
|
|
enum:
|
|
- ENCODING
|
|
- EXPLOIT
|
|
- HPP
|
|
- HTML
|
|
- IDOR
|
|
- LDAP
|
|
- NOSQL
|
|
- OGNL
|
|
- PHP
|
|
- PROTOCOL
|
|
- SANITY
|
|
- SCANNING
|
|
- SQL
|
|
- TEMPLATE
|
|
- UNIXCMD
|
|
- WINCMD
|
|
- XSS
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
types:
|
|
description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules.
|
|
items:
|
|
description: |-
|
|
A deny rule override type name can be any of the following values:
|
|
Header |
|
|
Parameter |
|
|
Path |
|
|
JSON |
|
|
GraphQL
|
|
enum:
|
|
- Header
|
|
- Parameter
|
|
- Path
|
|
- PathSegment
|
|
- JSON
|
|
- GraphQL
|
|
type: string
|
|
minItems: 0
|
|
type: array
|
|
type: object
|
|
settings:
|
|
description: Settings override the corresponding properties for the selected rules.
|
|
properties:
|
|
level:
|
|
description: Level specifies the filter strength.
|
|
enum:
|
|
- Unfiltered
|
|
- Basic
|
|
- Standard
|
|
- Strict
|
|
type: string
|
|
threatHandlingMode:
|
|
description: ThreatHandlingMode specifies how threats should be handled.
|
|
enum:
|
|
- Block
|
|
- LogOnly
|
|
type: string
|
|
type: object
|
|
type: object
|
|
type: array
|
|
settings:
|
|
description: Settings contains the keys which will be adjusted.
|
|
properties:
|
|
level:
|
|
default: Standard
|
|
description: Level represents a set of deny rules with different filter strengths.
|
|
enum:
|
|
- Unfiltered
|
|
- Basic
|
|
- Standard
|
|
- Strict
|
|
type: string
|
|
threatHandlingMode:
|
|
default: Block
|
|
description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches.
|
|
enum:
|
|
- Block
|
|
- LogOnly
|
|
type: string
|
|
type: object
|
|
type: object
|
|
custom:
|
|
description: Custom allows configuring additional deny rules.
|
|
properties:
|
|
rules:
|
|
description: Rules defines list of additional deny rules.
|
|
items:
|
|
properties:
|
|
blockData:
|
|
description: BlockData specifies the request data which should cause a block.
|
|
properties:
|
|
graphQL:
|
|
description: |-
|
|
GraphQL specifies to block requests containing a matching GraphQL property.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
argument:
|
|
description: |-
|
|
Argument defines an argument of a field of the GraphQL query.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
field:
|
|
description: |-
|
|
Field defines a field of the GraphQL query.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: |-
|
|
Value defines the value of an argument of the GraphQL query.
|
|
At least one of field, argument and value must be set.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
header:
|
|
description: |-
|
|
Header specifies to block requests containing a matching header.
|
|
Only one of parameter, header, path, pathSegment or json can be set.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of a header.
|
|
properties:
|
|
matcher:
|
|
description: |-
|
|
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
|
|
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a header.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
json:
|
|
description: |-
|
|
JSON specifies to block requests containing a matching JSON property in the body.
|
|
Only one of parameter, header, path, pathSegment or json can be set.
|
|
properties:
|
|
key:
|
|
description: Key defines the key of a JSON object.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a JSON object.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
parameter:
|
|
description: |-
|
|
Parameter specifies to block requests containing a matching parameter.
|
|
Only one of parameter, header, path, pathSegment or json can be set.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of a parameter.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a parameter.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
path:
|
|
description: |-
|
|
Path specifies to block requests with a matching path.
|
|
Only one of parameter, header, path, pathSegment or json can be set.
|
|
properties:
|
|
matcher:
|
|
description: Matcher specifies which path to block.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
pathSegment:
|
|
description: |-
|
|
PathSegment specifies to block requests containing a matching path segment.
|
|
Only one of parameter, header, path, pathSegment or json can be set.
|
|
properties:
|
|
segments:
|
|
description: |-
|
|
Segments restricts which path segments are filtered by this rule.
|
|
If not specified, all segments of a path are filtered.
|
|
properties:
|
|
index:
|
|
description: Index restricts the rule to the path segment at this index (0-based).
|
|
minimum: 0
|
|
type: integer
|
|
type: object
|
|
value:
|
|
description: Value specifies which path segment values to block.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
required:
|
|
- value
|
|
type: object
|
|
type: object
|
|
requestConditions:
|
|
description: RequestConditions defines additional request properties which must be matched in order for this rule to apply.
|
|
properties:
|
|
header:
|
|
description: Header defines the matching headers of a request.
|
|
properties:
|
|
name:
|
|
description: Name defines the name of a header.
|
|
properties:
|
|
matcher:
|
|
description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
value:
|
|
description: Value defines the value of a header.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
type: object
|
|
invert:
|
|
default: false
|
|
description: Invert indicates whether the request condition should be inverted.
|
|
type: boolean
|
|
mediaType:
|
|
description: MediaType defines the matching media type from the content-type header of a request.
|
|
properties:
|
|
matcher:
|
|
description: |-
|
|
NonInvertableCaseInsensitiveStringMatcher defines the way to match a string.
|
|
In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
method:
|
|
description: Method defines the matching methods of a request.
|
|
items:
|
|
description: Method defines common HTTP methods.
|
|
enum:
|
|
- GET
|
|
- HEAD
|
|
- POST
|
|
- PUT
|
|
- PATCH
|
|
- DELETE
|
|
- CONNECT
|
|
- OPTIONS
|
|
- TRACE
|
|
type: string
|
|
type: array
|
|
path:
|
|
description: Path defines the matching path of a request.
|
|
properties:
|
|
matcher:
|
|
description: StringMatcher defines the way to match a string.
|
|
properties:
|
|
contains:
|
|
description: |-
|
|
Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
exact:
|
|
description: |-
|
|
Exact defines an explicit match on the string specified here.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
ignoreCase:
|
|
default: false
|
|
description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`.
|
|
type: boolean
|
|
prefix:
|
|
description: |-
|
|
Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
regex:
|
|
description: |-
|
|
Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used.
|
|
The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
suffix:
|
|
description: |-
|
|
Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead.
|
|
Only one of exact, prefix, suffix, regex or contains can be set.
|
|
minLength: 1
|
|
type: string
|
|
type: object
|
|
required:
|
|
- matcher
|
|
type: object
|
|
remoteIP:
|
|
description: RemoteIP defines the matching remote IPs of a request.
|
|
properties:
|
|
cidrRanges:
|
|
description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``.
|
|
items:
|
|
description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“.
|
|
format: cidr
|
|
type: string
|
|
minItems: 1
|
|
type: array
|
|
invert:
|
|
default: false
|
|
description: Invert indicates whether the match should be inverted.
|
|
type: boolean
|
|
required:
|
|
- cidrRanges
|
|
type: object
|
|
type: object
|
|
ruleKey:
|
|
description: RuleKey defines a technical key for the deny rule. Must be unique.
|
|
minLength: 1
|
|
pattern: ^[A-Z][A-Z0-9_]*$
|
|
type: string
|
|
threatHandlingMode:
|
|
default: Block
|
|
description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches.
|
|
enum:
|
|
- Block
|
|
- LogOnly
|
|
type: string
|
|
required:
|
|
- blockData
|
|
- ruleKey
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- ruleKey
|
|
x-kubernetes-list-type: map
|
|
type: object
|
|
type: object
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|