API Reference
Auto-generated API reference for CRDs defined by the Coraza Kubernetes Operator.
Packages
waf.k8s.coraza.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the waf v1alpha1 API group.
Resource Types
DataReference
DataReference is a reference to a RuleData object in the same namespace as the RuleSet.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string | name is the name of the RuleData in the same namespace as the RuleSet. | MaxLength: 253 MinLength: 1 Required: {} |
DriverConfig
DriverConfig configures how the WAF filter is deployed into the target. When omitted from the Engine spec, the operator uses a default driver (currently wasm for Istio).
what GatewayAPI controller was used and set the better default driver.
Exactly one driver-specific configuration must match the selected type.
Validation:
- MinProperties: 0
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
type DriverType | type selects the driver mechanism used to deploy the WAF filter. | Enum: [wasm] Required: {} | |
wasm WasmDriverConfig | wasm contains configuration specific to the WASM driver. | MinProperties: 0 Optional: {} |
DriverType
Underlying type: string
DriverType specifies the mechanism used to deploy the WAF filter.
Validation:
- Enum: [wasm]
Appears in:
| Value | Description |
|---|---|
wasm | DriverTypeWasm deploys the WAF as a WebAssembly plugin. |
Engine
Engine represents an instance of a Web Application Firewall (WAF) engine.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | Engine | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
spec EngineSpec | spec defines the desired state of Engine. | Required: {} | |
status EngineStatus | status defines the observed state of Engine. | MinProperties: 0 Optional: {} |
EngineList
EngineList contains a list of Engine resources.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | EngineList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
items Engine array | Items is the list of Engines. | Required: {} |
EngineSpec
EngineSpec defines the desired state of an Engine.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
ruleSet RuleSetReference | ruleSet specifies the RuleSet resource that will be used to load rules into the Engine. The referenced RuleSet must be in the same namespace as the Engine. | Required: {} | |
target EngineTarget | target identifies the workload that the Engine protects. The operator derives the workload selector from this reference (e.g., for Gateway targets, the GEP-1762 gateway-name label is used). | Required: {} | |
failurePolicy FailurePolicy | failurePolicy determines the behavior when the WAF is not ready or encounters errors. Valid values are: - “Fail”: Block traffic when the WAF is not ready or encounters errors - “Allow”: Allow traffic through when the WAF is not ready or encounters errors When omitted, this means the user has no opinion and the platform will choose a reasonable default, which is subject to change over time. The current default is fail. | fail | Enum: [fail allow] Optional: {} |
ruleSetCacheServer RuleSetCacheServerConfig | ruleSetCacheServer contains configuration for the ruleset cache server. When omitted, no cache server will be used and no rulesets will be dynamically loaded. This implies that your Engine will be deployed with all rules statically embedded. | MinProperties: 0 Optional: {} | |
driver DriverConfig | driver configures the mechanism used to deploy the WAF filter into the target workload. When omitted, the operator uses a default driver for the underlying Engine (eg.: WASM for Istio) | MinProperties: 0 Optional: {} |
EngineStatus
EngineStatus defines the observed state of Engine.
Validation:
- MinProperties: 0
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditions Condition array | conditions represent the current state of the Engine resource. Each condition has a unique type and reflects the status of a specific aspect of the resource. Standard condition types include: - “Accepted”: the target is valid and not contested by another Engine. Reasons: “Accepted”, “TargetNotFound”, “TargetConflict” - “Ready”: the engine has been successfully deployed and is operational - “Progressing”: the resource is being created or updated - “Degraded”: the resource failed to reach or maintain its desired state The status of each condition is one of True, False, or Unknown. | MaxItems: 16 MinItems: 1 Optional: {} |
EngineTarget
EngineTarget identifies the workload that the Engine protects.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
type EngineTargetType | type is the type of resource being targeted. Currently only supports “Gateway” mode, utilizing Gateway API resources. | Enum: [Gateway] Required: {} | |
name string | name is the name of the target resource in the same namespace as the Engine. For Gateway targets, the operator derives the workload selector from this name using the GEP-1762 convention (gateway.networking.k8s.io/gateway-name label). Must conform to RFC 1035 label syntax: lowercase alphanumeric or hyphens, must start with a letter and end with an alphanumeric (e.g. “my-gateway”, “gw1”). This matches Kubernetes Service naming rules and ensures compatibility with Gateway implementations that derive Service names from the Gateway name. | MaxLength: 63 MinLength: 1 Required: {} | |
provider EngineTargetProvider | provider identifies the infrastructure provider that manages the target workload. The provider determines which driver types are valid for the Engine. This field is immutable after creation. Changing providers requires creating a new Engine resource so the controller does not need to clean up and recreate child resources from the previous driver. Currently supported providers and their allowed driver types: - “Istio”: supports “wasm” driver type. Future providers may support different driver types. For example, “EnvoyGateway” will only support “dynamicModule” once implemented. When omitted, this means the user has no opinion and the platform will choose a reasonable default, which is subject to change over time. The current default is Istio. | Istio | Enum: [Istio] Optional: {} |
EngineTargetProvider
Underlying type: string
EngineTargetProvider identifies the infrastructure provider managing the target workload. Each provider supports a specific set of driver types.
Validation:
- Enum: [Istio]
Appears in:
| Value | Description |
|---|---|
Istio | EngineTargetProviderIstio indicates the target is managed by Istio. Supported driver types: “wasm”. |
EngineTargetType
Underlying type: string
EngineTargetType specifies the type of resource an Engine targets.
Validation:
- Enum: [Gateway]
Appears in:
| Value | Description |
|---|---|
Gateway | EngineTargetTypeGateway targets a Gateway API Gateway resource. |
FailurePolicy
Underlying type: string
FailurePolicy describes the failure policy for the Engine.
Validation:
- Enum: [fail allow]
Appears in:
| Value | Description |
|---|---|
fail | FailurePolicyFail blocks traffic when the Engine is not ready or encounters errors. |
allow | FailurePolicyAllow allows traffic through when the Engine is not ready or encounters errors. |
RuleData
RuleData holds data file content (e.g. for @pmFromFile) for consumption by RuleSet resources. Each entry in spec.files maps a filename to its content.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | RuleData | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
spec RuleDataSpec | spec defines the data file content. | Required: {} |
RuleDataList
RuleDataList contains a list of RuleData resources.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | RuleDataList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
items RuleData array | Items is the list of RuleData. | Required: {} |
RuleDataSpec
RuleDataSpec defines the content of a RuleData resource.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
files object (keys:string, values:string) | files maps filenames to file content, used for @pmFromFile data. | MinProperties: 1 Required: {} |
RuleSet
RuleSet represents a set of Web Application Firewall (WAF) rules.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | RuleSet | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
spec RuleSetSpec | spec defines the desired state of RuleSet. | Required: {} | |
status RuleSetStatus | status defines the observed state of RuleSet. | MinProperties: 1 Optional: {} |
RuleSetCacheServerConfig
RuleSetCacheServerConfig defines the configuration for the RuleSet cache server.
Validation:
- MinProperties: 0
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
pollIntervalSeconds integer | pollIntervalSeconds specifies how often the WAF should check for configuration updates. The value is specified in seconds. When omitted, this means the user has no opinion and the platform will choose a reasonable default, which is subject to change over time. The current default is 15 seconds. | 15 | Maximum: 3600 Minimum: 1 Optional: {} |
RuleSetList
RuleSetList contains a list of RuleSet resources.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | RuleSetList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
items RuleSet array | Items is the list of RuleSets. | Required: {} |
RuleSetReference
RuleSetReference is a reference to a RuleSet resource.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string | name is the name of the RuleSet in the same namespace as the Engine. | MaxLength: 253 MinLength: 1 Required: {} |
RuleSetSpec
RuleSetSpec defines the desired state of RuleSet.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
sources SourceReference array | sources is an ordered list of references to RuleSource objects in the same namespace as the RuleSet. Sources are concatenated in list order to form the aggregated SecLang string. | MaxItems: 2048 MinItems: 1 Required: {} | |
data DataReference array | data is an optional list of references to RuleData objects in the same namespace as the RuleSet. Data entries are merged to provide the filesystem for @pmFromFile directives (last-listed wins on duplicate keys). | MaxItems: 256 MinItems: 1 Optional: {} |
RuleSetStatus
RuleSetStatus defines the observed state of RuleSet.
Validation:
- MinProperties: 1
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditions Condition array | conditions represent the current state of the RuleSet resource. Each condition has a unique type and reflects the status of a specific aspect of the resource. Standard condition types include: - “Ready”: the RuleSet has been processed and the rules have been cached - “Progressing”: the resource is being created or updated - “Degraded”: the resource failed to reach or maintain its desired state The status of each condition is one of True, False, or Unknown. | MaxItems: 16 MinItems: 1 Optional: {} |
RuleSource
RuleSource holds SecLang WAF rule text for consumption by RuleSet resources.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | RuleSource | ||
metadata ObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
spec RuleSourceSpec | spec defines the rule content. | Required: {} |
RuleSourceList
RuleSourceList contains a list of RuleSource resources.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string | waf.k8s.coraza.io/v1alpha1 | ||
kind string | RuleSourceList | ||
metadata ListMeta | Refer to Kubernetes API documentation for fields of metadata. | Optional: {} | |
items RuleSource array | Items is the list of RuleSources. | Required: {} |
RuleSourceSpec
RuleSourceSpec defines the content of a RuleSource.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
rules string | rules contains SecLang rule text. | MaxLength: 1572864 MinLength: 1 Required: {} |
SourceReference
SourceReference is a reference to a RuleSource object in the same namespace as the RuleSet.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string | name is the name of the RuleSource in the same namespace as the RuleSet. | MaxLength: 253 MinLength: 1 Required: {} |
WasmDriverConfig
WasmDriverConfig defines configuration for deploying the Engine as a WASM plugin.
Validation:
- MinProperties: 0
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
image string | image is the OCI image reference for the Coraza WASM plugin. If omitted the operator uses its configured default WASM OCI reference (–default-wasm-image / CORAZA_DEFAULT_WASM_IMAGE). | MaxLength: 1024 MinLength: 1 Optional: {} | |
imagePullSecret string | imagePullSecret is the name of a Kubernetes Secret in the same namespace as the Engine that contains Docker registry credentials for pulling the WASM OCI image. | MaxLength: 253 MinLength: 1 Optional: {} |