Skip to content
You are viewing the latest documentation for Solo Enterprise for kgateway. To access the documentation for older versions, use the version switcher.

Web Application Firewall (WAF) API

Page as Markdown

Review the Solo Enterprise WAF API reference docs.

Packages

waf.solo.io/v1alpha1

Resource Types

ConfigMapRef

ConfigMapRef contains a reference to a ConfigMap, and optionally specific keys within the ConfigMap.

Appears in:

FieldDescriptionDefaultValidation
name stringName is the name of the ConfigMap.Required: {}
namespace stringNamespace is the namespace of the ConfigMap.Required: {}
keys string arrayKeys is a list of keys to use from the ConfigMap.
If not set, the values of all keys in the ConfigMap will be used, in lexicographic order by key.
MinItems: 1
Optional: {}

CoreRuleSet

CoreRuleSet specifies custom settings for the OWASP CoreRuleSet.

Appears in:

FieldDescriptionDefaultValidation
settings DirectiveSourceSettings are settings that apply to the CoreRuleSet.
For an example Coraza-compatible CoreRuleSet settings file, see: https://github.com/corazawaf/coraza-coreruleset/blob/v4.23.0/rules/%40crs-setup.conf.example
ExactlyOneOf: [inline configMap]
Required: {}

CustomInterventionResponse

CustomInterventionResponse defines the response returned when WAF blocks a request or response.

Appears in:

FieldDescriptionDefaultValidation
statusCode integerStatusCode overrides the HTTP status code returned when WAF blocks a request or response.
If not set, the status code defined by the triggered WAF rule is used.
Maximum: 599
Minimum: 100
Optional: {}
headers CustomInterventionResponseHeadersHeaders sets the response headers returned when WAF blocks a request or response.
If not set, no header modifications are made.
Optional: {}
body stringBody overrides the response body returned when WAF blocks a request or response.
If not set, the response body is empty.
Optional: {}

CustomInterventionResponseHeader

CustomInterventionResponseHeader defines a single header returned when WAF blocks a request.

Appears in:

FieldDescriptionDefaultValidation
name stringName is the header name.MinLength: 1
Required: {}
value stringValue is the header value.Required: {}

CustomInterventionResponseHeaders

CustomInterventionResponseHeaders defines headers returned when WAF blocks a request.

Appears in:

FieldDescriptionDefaultValidation
setHeaders CustomInterventionResponseHeader arraySetHeaders is the list of headers to set on the response.MaxItems: 32
Optional: {}

DirectiveSource

DirectiveSource is a set of directives (e.g. rules or settings) to provide to the WAF engine.

Validation:

  • ExactlyOneOf: [inline configMap]

Appears in:

FieldDescriptionDefaultValidation
inline stringInline specifies custom directives as an inline string.Optional: {}
configMap ConfigMapRefConfigMap is a reference to a ConfigMap containing custom directives.Optional: {}

ProcessingConfig

ProcessingConfig configures how request and response traffic is inspected by WAF.

Appears in:

FieldDescriptionDefaultValidation
request RequestProcessingConfigRequest configures how request traffic is inspected by WAF.
If not set, defaults to inspect headers only.
Optional: {}
response ResponseProcessingConfigResponse configures how response traffic is inspected by WAF.
If not set, defaults to inspect headers only.
Optional: {}

RequestProcessingConfig

RequestProcessingConfig configures how request traffic is inspected by WAF.

Appears in:

FieldDescriptionDefaultValidation
mode RequestProcessingModeMode controls which parts of a request are inspected by WAF.
If not set, defaults to Headers.
Enum: [Headers HeadersAndBody]
Optional: {}

RequestProcessingMode

Underlying type: string

Validation:

  • Enum: [Headers HeadersAndBody]

Appears in:

FieldDescription
HeadersRequestProcessingModeHeaders configures the WAF server to inspect request headers
HeadersAndBodyRequestProcessingModeHeadersAndBody configures the WAF server to inspect request headers and body

ResponseProcessingConfig

ResponseProcessingConfig configures how response traffic is inspected by WAF.

Appears in:

FieldDescriptionDefaultValidation
mode ResponseProcessingModeMode controls which parts of a response are inspected by WAF.
If not set, defaults to Headers.
Enum: [None Headers HeadersAndBody]
Optional: {}

ResponseProcessingMode

Underlying type: string

Validation:

  • Enum: [None Headers HeadersAndBody]

Appears in:

FieldDescription
NoneResponseProcessingModeNone configures the WAF server to not inspect the response at all
HeadersResponseProcessingModeHeaders configures the WAF server to inspect response headers
HeadersAndBodyResponseProcessingModeHeadersAndBody configures the WAF server to inspect response headers and body

WAFPolicy

WAFPolicy contains Web Application Firewall configuration that can be applied to one or more routes. This configuration is consumed by an External Processing Server that all WAF-enabled traffic will pass through. If using the bundled WAF extproc server, all configuration provided in the WAFPolicy must be supported by the Coraza WAF engine.

Inherits fields from:

WAFPolicySpec

WAFPolicySpec contains Web Application Firewall configuration.

Appears in:

FieldDescriptionDefaultValidation
coreRuleSet CoreRuleSetCoreRuleSet contains settings for the OWASP CoreRuleSet.
If set, then the OWASP CoreRuleSet rules will be loaded.
The bundled WAF extproc server uses the v4 CoreRuleSet rules.
Optional: {}
ruleEngineSettings DirectiveSourceRuleEngineSettings are settings to configure the WAF rule engine.
For an example Coraza-compatible rule engine settings file, see: https://github.com/corazawaf/coraza-coreruleset/blob/v4.23.0/rules/%40coraza.conf-recommended
ExactlyOneOf: [inline configMap]
Required: {}
processingConfig ProcessingConfigProcessingConfig configures how request and response traffic is inspected by WAF.
If not set, request headers and response headers will be inspected.
Optional: {}
customDirectives DirectiveSource arrayCustomDirectives is a list of custom directives to apply.
Custom directives will be applied after the CoreRuleSet rules and settings (if enabled) and WAF rule engine settings,
and can be used to modify/exclude CoreRuleSet rules or add custom rules, for example.
ExactlyOneOf: [inline configMap]
MaxItems: 16
MinItems: 1
Optional: {}
customInterventionResponse CustomInterventionResponseCustomInterventionResponse is a custom response to send when a request is blocked by WAF.
If not set, returns the status code defined by the WAF rule that was triggered.
Optional: {}

WAFPolicyStatus

WAFPolicyStatus contains WAF server acceptance status and per-ancestor (traffic policy) attachment status.

Appears in:

FieldDescriptionDefaultValidation
conditions Condition arrayConditions contains information about WAF server acceptance of the WAFPolicy.Optional: {}
ancestors PolicyAncestorStatus arrayAncestors contains attachment information for referencing resources.MaxItems: 16
Optional: {}

Shared Types

The following types are defined in the shared package and used across multiple APIs.

PolicyAncestorStatus

FieldTypeDescription
ancestorRefgwv1.ParentReferenceAncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. Required.
controllerNamestringControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. Required.
conditions[]metav1.ConditionConditions describes the status of the Policy with respect to the given Ancestor.
Was this page helpful?