API Reference
Packages:
waap.core.u-s-p.ch/v1alpha1
Resource Types:
CoreWaapService
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | waap.core.u-s-p.ch/v1alpha1 | true |
| kind | string | CoreWaapService | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the `metadata` field. | true |
| spec | object |
|
false |
| status | object |
|
false |
CoreWaapService.spec
| Name | Type | Description | Required |
|---|---|---|---|
| routes | []object |
List of routes to backends (at least one route must be defined) |
true |
| authentications | []object |
List of authentications (OpenID Connect / OAuth 2.0 clients and/or JWT validations) |
false |
| crs | object |
OWASP Core Rule Set (CRS) settings (version 4.3.0) |
false |
| csrfPolicy | object |
Global CSRF protection (default on). It detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target. If the origin does not match the target and is not allowed specifically, the request will be blocked. |
false |
| headerFiltering | object |
Global header filtering (default is allow standard headers only) |
false |
| hostnames | []string |
List of hostnames (append ports with ':', default is wildcard '*') |
false |
| nativeConfigPostProcessing | []string |
JavaScripts for post-processing generated Envoy config |
false |
| operation | object |
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image field must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity] |
false |
| originBlocking | object |
Origin blocking |
false |
| webResources | object |
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content |
false |
| websocket | boolean |
Allow websocket Default: false |
false |
CoreWaapService.spec.routes[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Backend |
true |
| match | object |
Matching criteria |
true |
| auth | object |
Authentication |
false |
| autoHostRewrite | boolean |
Indicates that during forwarding, the host header will be swapped with the hostname of the upstream host Default: true |
false |
| crs | object |
CRS settings per route |
false |
CoreWaapService.spec.routes[index].backend
Backend
| Name | Type | Description | Required |
|---|---|---|---|
| address | string |
Backend hostname or IP |
true |
| port | integer |
Backend port number Minimum: 1 Maximum: 65535 |
true |
| protocol | object |
Protocol |
false |
| tls | object |
TLS |
false |
CoreWaapService.spec.routes[index].backend.protocol
Protocol
| Name | Type | Description | Required |
|---|---|---|---|
| selection | enum |
Selection of upstream protocol (h2 uses HTTP/2, h1 uses HTTP/1.1, auto negotiates the protocol using ALPN (requires TLS) with HTTP/2 preferred and HTTP/1.1 as fallback) Enum: auto, h1, h2 Default: h2 |
false |
CoreWaapService.spec.routes[index].backend.tls
TLS
| Name | Type | Description | Required |
|---|---|---|---|
| checkCertificates | boolean |
Check trusted certificates and SAN Default: true |
false |
| enabled | boolean |
Enable TLS Default: false |
false |
CoreWaapService.spec.routes[index].match
Matching criteria
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path (depending on pathType either a regex or a prefix) |
true |
| filters | object |
Filters |
false |
| headers | []object |
List of header matchers (logical AND between header matchers and with path) |
false |
| pathType | enum |
Path type Enum: PREFIX, REGEX Default: REGEX |
false |
CoreWaapService.spec.routes[index].match.filters
Filters
| Name | Type | Description | Required |
|---|---|---|---|
| allowedMethods | []enum |
Allowed http methods (all methods allowed if not specified) |
false |
| originBlocking | object |
Origin blocking |
false |
| rewrite | object |
Rewrite request |
false |
CoreWaapService.spec.routes[index].match.filters.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.routes[index].match.filters.rewrite
Rewrite request
| Name | Type | Description | Required |
|---|---|---|---|
| url | object |
URL to set upstream |
false |
CoreWaapService.spec.routes[index].match.filters.rewrite.url
URL to set upstream
| Name | Type | Description | Required |
|---|---|---|---|
| path | string |
Path to rewrite (if regex path can use \1, \2 etc. to replace matched regex groups) |
true |
CoreWaapService.spec.routes[index].match.headers[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Request header name |
true |
| value | string |
Request header value (exact match of full string) |
true |
CoreWaapService.spec.routes[index].auth
Authentication
| Name | Type | Description | Required |
|---|---|---|---|
| ref | string |
Reference to name of corresponding authentication setting |
true |
CoreWaapService.spec.routes[index].crs
CRS settings per route
| Name | Type | Description | Required |
|---|---|---|---|
| disabled | boolean |
Whether to disable all CRS parsing for the route or not Default: false |
false |
CoreWaapService.spec.authentications[index]
| Name | Type | Description | Required |
|---|---|---|---|
| backend | object |
Settings for propagation to backend |
true |
| jwksEndpoint | string |
OIDC JWKS endpoint URL, offers credentials to verify JWTs (normally use https) |
true |
| name | string |
Name to reference in routes |
true |
| audiences | []string |
List of accepted JWT audiences (if none is specified the JWT is not matched against the audience list) |
false |
| authorizationEndpoint | string |
OIDC OP authorization endpoint URL (omit to mark JWT-only authentication; note that tokenEndpoint and credentials must always also be defined resp. omitted accordingly) |
false |
| credentials | object |
OIDC credentials (client_id and client_secret, omit if only using JWT validation) |
false |
| issuer | string |
OIDC OP issuer (mandatory for OIDC authentication, optional if JWT-only authentication) |
false |
| scopes | []string |
List of scopes to be claimed in the authorization request |
false |
| tokenEndpoint | string |
OIDC OP token endpoint URL (omit if JWT-only authentication) |
false |
| tokenEndpointAuthType | enum |
How to pass the client_id to the OP (BODY for URL-encoded body parameter, BASIC for basic auth) Enum: BASIC, BODY Default: BODY |
false |
| useRefreshToken | boolean |
Whether to allow automatic access token refresh using the associated refresh token Default: false |
false |
CoreWaapService.spec.authentications[index].backend
Settings for propagation to backend
| Name | Type | Description | Required |
|---|---|---|---|
| forwardJwt | boolean |
Whether to forward the JWT to the upstream server Default: true |
false |
| jwtClaimToHeader | []object |
Translations of JWT claims to HTTP headers |
false |
CoreWaapService.spec.authentications[index].backend.jwtClaimToHeader[index]
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string |
Claim to set as header |
true |
| headerName | string |
Name of the header to set to the claim |
true |
CoreWaapService.spec.authentications[index].credentials
OIDC credentials (client_id and client_secret, omit if only using JWT validation)
| Name | Type | Description | Required |
|---|---|---|---|
| clientId | string |
OIDC client_id |
true |
| clientSecret | string |
OIDC client_secret by value (either this or clientSecretRef is mandatory) |
false |
| clientSecretRef | string |
OIDC client_secret via reference to Kubernetes secret (recommended, either this or clientSecret is mandatory) |
false |
| hmacSecret | string |
HMAC secret by value (either this or hmacSecretRef is mandatory) |
false |
| hmacSecretRef | string |
HMAC secret via reference to Kubernetes secret (recommended, either this or hmacSecret is mandatory) |
false |
CoreWaapService.spec.crs
OWASP Core Rule Set (CRS) settings (version 4.3.0)
| Name | Type | Description | Required |
|---|---|---|---|
| enabledRequestRules | []enum |
Set of request rule classes (default is to include all rules, rules REQUEST_901_INITIALIZATION and REQUEST_949_BLOCKING_EVALUATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.3.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') |
false |
| enabledResponseRules | []enum |
Set of response rule classes (default is to include no rules, rules RESPONSE_959_BLOCKING_EVALUATION and RESPONSE_980_CORRELATION are always included, see https://github.com/coreruleset/coreruleset/tree/v4.3.0/rules for all configurable values, just replace '-' by '_' and omit '.conf') |
false |
| mode | enum |
Mode (BLOCK = traffic identified as suspicious is blocked; DETECT = traffic identified as suspicious is logged but not blocked; DISABLED = traffic is not inspected) Enum: BLOCK, DETECT, DISABLED Default: BLOCK |
false |
| paranoiaLevel | integer |
Paranoia level (the higher the level the better the protection but also more likely false positives, see OWASP CRS for details) Default: 1 Minimum: 1 Maximum: 4 |
false |
| parseJson | boolean |
Whether to apply CRS protection rules for JSON payloads or not Default: true |
false |
| parseXml | boolean |
Whether to apply CRS protection rules for XML payloads or not Default: true |
false |
| requestBodyAccess | boolean |
Whether to scan request bodies or not (if this setting is disabled, POST parameters and other content submitted in the request body will not be inspected) Default: true |
false |
| requestBodyAccessExceptions | []object |
Request body parsing exceptions (locations to exclude from parsing, typically for file uploads) |
false |
| requestBodyLimitKb | integer |
Request body limit in KB, body bytes beyond the limit are not parsed (max 1048576 KB (1 GB)) Default: 128 Minimum: 0 Maximum: 1.048576e+06 |
false |
| requestRuleExceptions | []object |
Conditionally disable request rules to avoid false positive alerts/blocks |
false |
| responseBodyLimitKb | integer |
Response body limit in KB, body bytes beyond the limit are not parsed Default: 256 Minimum: 0 Maximum: 1.048576e+06 |
false |
| responseRuleExceptions | []object |
Conditionally disable response rules to avoid false positive alerts/blocks |
false |
| securityLevel | integer |
Defines under which conditions suspicious requests are blocked; only has an effect if the mode is set to BLOCK (security level 5 blocks already if 1 (or more) critical anomalies, 4 if 2, 3 if 3, 2 if 5, 1 if 10) Default: 5 Minimum: 1 Maximum: 5 |
false |
| validateJson | boolean |
Special rule which checks the syntax of JSON requests (if the syntax is invalid and the current mode is BLOCK, such requests are blocked) Default: true |
false |
CoreWaapService.spec.crs.requestBodyAccessExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| location | string |
Location for which to skip request body parsing |
true |
| methods | []enum |
HTTP method(s) for which to skip request body parsing (at least one must be defined) |
true |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
CoreWaapService.spec.crs.requestRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| ruleId | integer |
Rule ID |
true |
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent') |
false |
| requestPartType | enum |
Request part type Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
CoreWaapService.spec.crs.requestRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.crs.responseRuleExceptions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| ruleId | integer |
Rule ID |
true |
| location | string |
Location |
false |
| metadata | object |
Metadata (no impact on native config) |
false |
| regEx | boolean |
Whether the location is indicated as a regex or not Default: false |
false |
| requestPartName | string |
Request part name (e.g. 'User-Agent') |
false |
| requestPartType | enum |
Request part type Enum: ARGS, ARGS_COMBINED_SIZE, ARGS_GET, ARGS_GET_NAMES, ARGS_NAMES, ARGS_POST, ARGS_POST_NAMES, AUTH_TYPE, DURATION, ENV, FILES, FILES_COMBINED_SIZE, FILES_NAMES, FILES_SIZES, FILES_TMPNAMES, FILES_TMP_CONTENT, FULL_REQUEST, FULL_REQUEST_LENGTH, GEO, HIGHEST_SEVERITY, INBOUND_DATA_ERROR, MATCHED_VAR, MATCHED_VARS, MATCHED_VARS_NAMES, MATCHED_VAR_NAME, MODSEC_BUILD, MULTIPART_CRLF_LF_LINES, MULTIPART_FILENAME, MULTIPART_NAME, MULTIPART_PART_HEADERS, MULTIPART_STRICT_ERROR, MULTIPART_UNMATCHED_BOUNDARY, OUTBOUND_DATA_ERROR, PATH_INFO, PERF_COMBINED, PERF_GC, PERF_LOGGING, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3, PERF_PHASE4, PERF_PHASE5, PERF_RULES, PERF_SREAD, PERF_SWRITE, QUERY_STRING, REMOTE_ADDR, REMOTE_HOST, REMOTE_PORT, REMOTE_USER, REQBODY_ERROR, REQBODY_ERROR_MSG, REQBODY_PROCESSOR, REQUEST_BASENAME, REQUEST_BODY, REQUEST_BODY_LENGTH, REQUEST_COOKIES, REQUEST_COOKIES_NAMES, REQUEST_FILENAME, REQUEST_HEADERS, REQUEST_HEADERS_NAMES, REQUEST_LINE, REQUEST_METHOD, REQUEST_PROTOCOL, REQUEST_URI, REQUEST_URI_RAW, RESPONSE_BODY, RESPONSE_CONTENT_LENGTH, RESPONSE_CONTENT_TYPE, RESPONSE_HEADERS, RESPONSE_HEADERS_NAMES, RESPONSE_PROTOCOL, RESPONSE_STATUS, RULE, SCRIPT_BASENAME, SCRIPT_FILENAME, SCRIPT_GID, SCRIPT_GROUPNAME, SCRIPT_MODE, SCRIPT_UID, SCRIPT_USERNAME, SDBM_DELETE_ERROR, SERVER_ADDR, SERVER_NAME, SERVER_PORT, SESSION, SESSIONID, STREAM_INPUT_BODY, STREAM_OUTPUT_BODY, TIME, TIME_DAY, TIME_EPOCH, TIME_HOUR, TIME_MIN, TIME_MON, TIME_SEC, TIME_WDAY, TIME_YEAR, TX, UNIQUE_ID, URLENCODED_ERROR, USERAGENT_IP, USERID, WEBAPPID, WEBSERVER_ERROR_LOG, XML |
false |
CoreWaapService.spec.crs.responseRuleExceptions[index].metadata
Metadata (no impact on native config)
| Name | Type | Description | Required |
|---|---|---|---|
| comment | string |
Comment why the rule exception was added |
false |
| createdBy | string |
By whom the rule exception was added |
false |
| date | string |
Date when the rule exception was added |
false |
CoreWaapService.spec.csrfPolicy
Global CSRF protection (default on). It detects and blocks CSRF attacks based on comparing the request origin (either 'Origin' or 'Referrer' header) with the request target. If the origin does not match the target and is not allowed specifically, the request will be blocked.
| Name | Type | Description | Required |
|---|---|---|---|
| additionalOrigins | []string |
Additional allowed origin values, specified as '{hostname}[:{port}]' (no scheme!); must correspond to the request target. |
false |
| enabled | boolean |
Whether CSRF protection is enabled or not Default: true |
false |
CoreWaapService.spec.headerFiltering
Global header filtering (default is allow standard headers only)
| Name | Type | Description | Required |
|---|---|---|---|
| logOnly | boolean |
Whether header filtering should only log potentially blocked headers Default: false |
false |
| request | object |
Request header filtering |
false |
| response | object |
Response header filtering |
false |
CoreWaapService.spec.headerFiltering.request
Request header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
List of allowed header names in addition to ones in allowClass |
false |
| allowClass | enum |
A common preset of allowed headers. Values: MINIMAL, STANDARD, RESTRICTED Enum: MINIMAL, RESTRICTED, STANDARD Default: STANDARD |
false |
| deny | []object |
List of denied header names; applied after allowClass & allow |
false |
| enabled | boolean |
Whether request header filtering is enabled or not Default: true |
false |
CoreWaapService.spec.headerFiltering.request.deny[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
Denied header name; '*' could be used in conjunction with non-blank valuePattern to match all header names |
false |
| valuePattern | string |
Lua pattern for denied header value (see https://www.lua.org/pil/20.2.html) |
false |
CoreWaapService.spec.headerFiltering.response
Response header filtering
| Name | Type | Description | Required |
|---|---|---|---|
| allow | []string |
List of allowed header names |
false |
| deny | []string |
List of denied header names; applied after allow |
false |
| enabled | boolean |
Whether response header filtering is enabled or not Default: true |
false |
CoreWaapService.spec.operation
Operation related settings to be used for the Core WAAP Kubernetes deployment; these settings typically do not affect generated Envoy config (optional, except that the operation's image field must be set in the spec or via default in the operator config) [merge with operator defaults: config trees are merged in detail with precedence given to values in the spec, e.g. resources.limits.cpu could be defined in operator config but resources.requests.cpu in the spec; exception: lists within the config tree are completely overridden by the ones in the spec if present, which affects e.g. tolerations and lists under affinity]
| Name | Type | Description | Required |
|---|---|---|---|
| adminInterfaceService | object |
Settings for exposing the Envoy admin interface as a Kubernetes service |
false |
| affinity | object |
Kubernetes affinity for the Core Waap pod |
false |
| caCertificates | object |
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container) |
false |
| image | string |
Core WAAP container image, must contain a version (must be defined either in spec or operator defaults) |
false |
| labels | map[string]string |
Map of key/value labels for the pod |
false |
| port | integer |
Port of the Kubernetes service and Envoy listener in the Core WAAP container Default: 8080 Minimum: 1 Maximum: 65535 |
false |
| priorityClassName | string |
Kubernetes priorityClassName for the Core Waap pod |
false |
| replicas | integer |
Number of replicas (default is not managed by operator) Minimum: 1 |
false |
| resources | object |
Kubernetes resources for the Core Waap pod |
false |
| serviceAccount | object |
Service account |
false |
| serviceAnnotations | map[string]string |
Map of key/value annotations for the service |
false |
| tolerations | []object |
Kubernetes tolerations for the Core Waap pod |
false |
CoreWaapService.spec.operation.adminInterfaceService
Settings for exposing the Envoy admin interface as a Kubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean |
Whether the Envoy admin interface should be exposed as Kubernetes service Default: false |
false |
| port | integer |
Port of the Kubernetes service (if enabled) and Envoy admin interface listener in the Core WAAP container Default: 9901 Minimum: 1 Maximum: 65535 |
false |
CoreWaapService.spec.operation.affinity
Kubernetes affinity for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| nodeAffinity | object |
|
false |
| podAffinity | object |
|
false |
| podAntiAffinity | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| preference | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution
| Name | Type | Description | Required |
|---|---|---|---|
| nodeSelectorTerms | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index]
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchFields | []object |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchFields[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity
| Name | Type | Description | Required |
|---|---|---|---|
| preferredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
| requiredDuringSchedulingIgnoredDuringExecution | []object |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| podAffinityTerm | object |
|
false |
| weight | integer |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
| Name | Type | Description | Required |
|---|---|---|---|
| labelSelector | object |
|
false |
| matchLabelKeys | []string |
|
false |
| mismatchLabelKeys | []string |
|
false |
| namespaceSelector | object |
|
false |
| namespaces | []string |
|
false |
| topologyKey | string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
| Name | Type | Description | Required |
|---|---|---|---|
| matchExpressions | []object |
|
false |
| matchLabels | map[string]string |
|
false |
CoreWaapService.spec.operation.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
|
false |
| operator | string |
|
false |
| values | []string |
|
false |
CoreWaapService.spec.operation.caCertificates
CA Certificates for the pod, mounted at /etc/ssl/certs/ca-certificates.crt (default is to use the file from container)
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the CA certificates |
true |
| key | string |
Key (as in 'YAML key/value pair') in the config map that contains the CA certificates |
true |
CoreWaapService.spec.operation.resources
Kubernetes resources for the Core Waap pod
| Name | Type | Description | Required |
|---|---|---|---|
| claims | []object |
|
false |
| limits | map[string]int or string |
|
false |
| requests | map[string]int or string |
|
false |
CoreWaapService.spec.operation.resources.claims[index]
| Name | Type | Description | Required |
|---|---|---|---|
| name | string |
|
false |
CoreWaapService.spec.operation.serviceAccount
Service account
| Name | Type | Description | Required |
|---|---|---|---|
| automountToken | boolean |
Whether to automount the token for the service account Default: true |
false |
| name | string |
Service account name Default: default |
false |
CoreWaapService.spec.operation.tolerations[index]
| Name | Type | Description | Required |
|---|---|---|---|
| effect | string |
|
false |
| key | string |
|
false |
| operator | string |
|
false |
| tolerationSeconds | integer |
|
false |
| value | string |
|
false |
CoreWaapService.spec.originBlocking
Origin blocking
| Name | Type | Description | Required |
|---|---|---|---|
| ips | []string |
Allowed or denied IP addresses (CIDR notation or single IP, e.g. 1.2.3.4/32 or 1.2.3.4) |
true |
| policy | enum |
Policy (ALLOW or DENY access depending on origin) Enum: ALLOW, DENY |
true |
CoreWaapService.spec.webResources
Resources from a config map to serve as static files and/or to map status codes to error pages with dynamic content
| Name | Type | Description | Required |
|---|---|---|---|
| configMap | string |
Name of the config map that contains the web resources |
true |
| path | string |
Path where static pages will be served (must begin and end with /) |
true |
| errorPages | []object |
List of error pages to serve (allows dynamic content, e.g. %PROTOCOL%) |
false |
| staticFiles | []object |
List of static file resources to serve (no dynamic content) |
false |
CoreWaapService.spec.webResources.errorPages[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
| statusCode | string |
Status code to apply to (also allows to e.g. use '4xx' for all client errors 400-499) |
true |
| mappedStatusCode | integer |
Status code to send to client (defaults to upstream status code) |
false |
CoreWaapService.spec.webResources.staticFiles[index]
| Name | Type | Description | Required |
|---|---|---|---|
| key | string |
Key in the config map, used as filename (Content-Type guessed from filename, encoding utf-8 for text/*) |
true |
CoreWaapService.status
| Name | Type | Description | Required |
|---|---|---|---|
| status | string |
|
false |