Web Application Firewall (WAF) API
Review the Solo Enterprise WAF API reference docs.
Packages
waf.solo.io/v1alpha1
Resource Types
ConfigMapRef
ConfigMapRef contains a reference to a ConfigMap, and optionally specific keys within the ConfigMap.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string | Name is the name of the ConfigMap. | Required: {} | |
namespace string | Namespace is the namespace of the ConfigMap. | Required: {} | |
keys string array | Keys is a list of keys to use from the ConfigMap. If not set, the values of all keys in the ConfigMap will be used, in lexicographic order by key. | MinItems: 1 Optional: {} |
CoreRuleSet
CoreRuleSet specifies custom settings for the OWASP CoreRuleSet.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
settings DirectiveSource | Settings are settings that apply to the CoreRuleSet. For an example Coraza-compatible CoreRuleSet settings file, see: https://github.com/corazawaf/coraza-coreruleset/blob/v4.23.0/rules/%40crs-setup.conf.example | ExactlyOneOf: [inline configMap] Required: {} |
CustomInterventionResponse
CustomInterventionResponse defines the response returned when WAF blocks a request or response.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
statusCode integer | StatusCode overrides the HTTP status code returned when WAF blocks a request or response. If not set, the status code defined by the triggered WAF rule is used. | Maximum: 599 Minimum: 100 Optional: {} | |
headers CustomInterventionResponseHeaders | Headers sets the response headers returned when WAF blocks a request or response. If not set, no header modifications are made. | Optional: {} | |
body string | Body overrides the response body returned when WAF blocks a request or response. If not set, the response body is empty. | Optional: {} |
CustomInterventionResponseHeader
CustomInterventionResponseHeader defines a single header returned when WAF blocks a request.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string | Name is the header name. | MinLength: 1 Required: {} | |
value string | Value is the header value. | Required: {} |
CustomInterventionResponseHeaders
CustomInterventionResponseHeaders defines headers returned when WAF blocks a request.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
setHeaders CustomInterventionResponseHeader array | SetHeaders is the list of headers to set on the response. | MaxItems: 32 Optional: {} |
DirectiveSource
DirectiveSource is a set of directives (e.g. rules or settings) to provide to the WAF engine.
Validation:
- ExactlyOneOf: [inline configMap]
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
inline string | Inline specifies custom directives as an inline string. | Optional: {} | |
configMap ConfigMapRef | ConfigMap is a reference to a ConfigMap containing custom directives. | Optional: {} |
ProcessingConfig
ProcessingConfig configures how request and response traffic is inspected by WAF.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
request RequestProcessingConfig | Request configures how request traffic is inspected by WAF. If not set, defaults to inspect headers only. | Optional: {} | |
response ResponseProcessingConfig | Response configures how response traffic is inspected by WAF. If not set, defaults to inspect headers only. | Optional: {} |
RequestProcessingConfig
RequestProcessingConfig configures how request traffic is inspected by WAF.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
mode RequestProcessingMode | Mode controls which parts of a request are inspected by WAF. If not set, defaults to Headers. | Enum: [Headers HeadersAndBody] Optional: {} |
RequestProcessingMode
Underlying type: string
Validation:
- Enum: [Headers HeadersAndBody]
Appears in:
| Field | Description |
|---|---|
Headers | RequestProcessingModeHeaders configures the WAF server to inspect request headers |
HeadersAndBody | RequestProcessingModeHeadersAndBody configures the WAF server to inspect request headers and body |
ResponseProcessingConfig
ResponseProcessingConfig configures how response traffic is inspected by WAF.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
mode ResponseProcessingMode | Mode controls which parts of a response are inspected by WAF. If not set, defaults to Headers. | Enum: [None Headers HeadersAndBody] Optional: {} |
ResponseProcessingMode
Underlying type: string
Validation:
- Enum: [None Headers HeadersAndBody]
Appears in:
| Field | Description |
|---|---|
None | ResponseProcessingModeNone configures the WAF server to not inspect the response at all |
Headers | ResponseProcessingModeHeaders configures the WAF server to inspect response headers |
HeadersAndBody | ResponseProcessingModeHeadersAndBody configures the WAF server to inspect response headers and body |
WAFPolicy
WAFPolicy contains Web Application Firewall configuration that can be applied to one or more routes. This configuration is consumed by an External Processing Server that all WAF-enabled traffic will pass through. If using the bundled WAF extproc server, all configuration provided in the WAFPolicy must be supported by the Coraza WAF engine.
Inherits fields from:
- TypeMeta
Field Description Default Validation apiVersionstringwaf.solo.io/v1alpha1kindstringWAFPolicykindstringKind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsOptional: {} apiVersionstringAPIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcesOptional: {} metadataObjectMetaRefer to Kubernetes API documentation for fields of metadata.Optional: {} specWAFPolicySpecSpec defines the desired state of the WAF policy Required: {} statusWAFPolicyStatusStatus is the status of the WAF policy Optional: {}
WAFPolicySpec
WAFPolicySpec contains Web Application Firewall configuration.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
coreRuleSet CoreRuleSet | CoreRuleSet contains settings for the OWASP CoreRuleSet. If set, then the OWASP CoreRuleSet rules will be loaded. The bundled WAF extproc server uses the v4 CoreRuleSet rules. | Optional: {} | |
ruleEngineSettings DirectiveSource | RuleEngineSettings are settings to configure the WAF rule engine. For an example Coraza-compatible rule engine settings file, see: https://github.com/corazawaf/coraza-coreruleset/blob/v4.23.0/rules/%40coraza.conf-recommended | ExactlyOneOf: [inline configMap] Required: {} | |
processingConfig ProcessingConfig | ProcessingConfig configures how request and response traffic is inspected by WAF. If not set, request headers and response headers will be inspected. | Optional: {} | |
customDirectives DirectiveSource array | CustomDirectives is a list of custom directives to apply. Custom directives will be applied after the CoreRuleSet rules and settings (if enabled) and WAF rule engine settings, and can be used to modify/exclude CoreRuleSet rules or add custom rules, for example. | ExactlyOneOf: [inline configMap] MaxItems: 16 MinItems: 1 Optional: {} | |
customInterventionResponse CustomInterventionResponse | CustomInterventionResponse is a custom response to send when a request is blocked by WAF. If not set, returns the status code defined by the WAF rule that was triggered. | Optional: {} |
WAFPolicyStatus
WAFPolicyStatus contains WAF server acceptance status and per-ancestor (traffic policy) attachment status.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditions Condition array | Conditions contains information about WAF server acceptance of the WAFPolicy. | Optional: {} | |
ancestors PolicyAncestorStatus array | Ancestors contains attachment information for referencing resources. | MaxItems: 16 Optional: {} |
Shared Types
The following types are defined in the shared package and used across multiple APIs.
PolicyAncestorStatus
| Field | Type | Description |
|---|---|---|
ancestorRef | gwv1.ParentReference | AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. Required. |
controllerName | string | ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: “example.net/gateway-controller”. The format of this field is DOMAIN “/” PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. Required. |
conditions | []metav1.Condition | Conditions describes the status of the Policy with respect to the given Ancestor. |